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Nominal logic is an extension of first-order logic which provides a simple foundation for formal- 
izing and reasoning about abstract syntax modulo consistent renaming of bound names (that is, 
a-equivalence) . This article investigates logic programming based on nominal logic. We describe 
some typical nominal logic programs, and develop the model-theoretic, proof-theoretic, and op- 
erational semantics of such programs. Besides being of interest for ensuring the correct behavior 
of implementations, these results provide a rigorous foundation for techniques for analysis and 
reasoning about nominal logic programs, as wc illustrate via examples. 

Categories and Subject Descriptors: D.1.6 [PROGRAMMING TECHNIQUES]: Logic Pro- 
gramming; F.4.1 [MATHEMATICAL LOGIC AND FORMAL LANGUAGES]: Mathe- 
matical Logic — model theory, proof theory, logic and constraint programming 
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Declarative Programming enables one to concentrate on the essentials of a 
problem, without getting bogged down in too much operational detail. 

— David Warren in [Sterling and Shapiro 1994] 

1. INTRODUCTION 

As stated by Warren the ideal of logic programming is that all the programmer 
needs to do is describe the problem suitably, and let the computer deal with the 
search for solutions. Thus, logic programming languages such as Prolog are very 
well-suited to problem solving situations in which a problem can be formulated as a 
set of inference rules describing a solution. All the programmer has to do is describe 
the problem and ask the system to search for solutions. 
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Unfortunately, for some problems this ideal is not achievable in Prolog, the most 
well-known logic programming language, even in areas where this language is re- 
garded as superior. Consider for example the usual three inference rules by which 
the type-system for lambda-terms is specified: 

x-.reT r h ei : T ^ T h ea : r {x : t} UT h e : t' 
T \~ X : T r h ei 62 : t' F h Xx.e : t ^ t' 

In the third rule it is often implicitly assumed that x is a variable not already present 
in r. Inferring a type for the term e in the context T should fit Prolog's declarative 
programming paradigm very well. However, a direct, nai've implementation of such 
typing rules, as for example given in [Mitchell 2003, Page 489]: 

mem{X, [X\T]). 

mem{X, [Y\T]) :- mem{X,T). 

tc{G,var{X),T) :- mem{{X,T),G). 

tc{G,app{Ei,E2),T') :- tciG, E^, arrTyiT,r)),tc{G, E^^T). 

tc{G,lam{X,E),arrTy{T,T')) tc{[{X,T)\G],E,T'). 

behaves incorrectly on terms in which a lambda-bound name "shadows" another 
binding occurrence of a name. For example, typechecking the lambda-term \x.\x.{x x) 
via the query 

?- ic([], lam{x, lam{x, app{var{x), var{x)))), U) 
yields two answers: 

U = arrTy{T,arrTy{arrTy{T,T'),T')) 
U = arrTy{arrTy{T,T'), arrTy{T,T')) . 

The first answer corresponds to binding the first bound occurrence of x to the inner 
binder and the second to the outer binder; the second corresponds to the reverse 
binding. Neither is correct, since this term is not well-typed. This assumes that 
the implementation performs occurs checks — if the checks are omitted, this query 
may diverge instead. 

This problem can be worked around in several ways, including judicious use 
of the "cut" pruning operator to ensure that only the most recent binding of a 
repeated variable can be used (e.g. in the first clause of mem), or by defining a 
gensym predicate, defining capture-avoiding substitution, and performing explicit 
a-renaming (see [Clocksin and Mellish 2003]), but both solutions rely on nonlogical, 
nondeclarative features of Prolog, and the resulting programs generally only work 
properly in the "forward" direction (when used with ground G and E). Thus, 
one loses declarativencss and becomes "bogged down in operational detail" almost 
immediately even for the simplest problems involving name-binding. 

The problems with the naive implementation stem from the lack of support for 
names, name-binding and alpha-equivalence in Prolog. A number of techniques for 
incorporating such support into logic programming languages have been investi- 
gated, including higher-order logic programming [Nadathur and Miller 1998], Qu- 
Prolog [Staples et al. 1989], and logic programming with binding algebras [Hamana 
2001]. 
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Of these approaches, higher-order logic programming may be the most convenient 
and compeUing. For example, the typechecking relation can be implemented in 
AProlog as follows: 

tc {app El E2) T' :- tc Ei {arrTy T T'),tc E2 T. 

tc {lam {Xx.E x)) {arrTy T T) :- lix. tc x T ^ tc {E x) T' . 

Here, meta-language variables and A-bindings are used to represent object-language 
variables and bindings; object language application and lambda-abstraction are 
represented using constants app : exp —>■ exp exp and lam : [exp exp) exp. 
Moreover, local parameters (introduced using the universal quantifier H) and local 
assumptions (introduced using the implication connective =>) are used to represent 
the scope restrictions on the local variable and its type assumption. Thus, the meta- 
language's context is used to implement locally-scoped parameters and hypotheses 
of the object language. 

Higher-order abstract syntax is a very elegant technique for programming with 
and reasoning about languages with binding syntax. Unfortunately, there are some 
situations in which higher-order encodings are no simpler than first-order equiva- 
lents; sometimes, the use of higher-order features even obstructs natural-seeming 
programming techniques. As a case in point, consider the following informal defi- 
nition of the alpha-inequivalence relation 

x^y ei e[ 62 e'2 e e' 

X ^ay ei 62 e[ e'2 ei 62 i^a e\ e'2 Xx.e Xx.e' 



ei 62 Xx.e Xx.e ei 62 x ei 62 ei 62 x Xx.e y y Xx.e 

Most of the clauses are easy to implement in, for example, AProlog; in particular, 
the implicit use of the Barendregt renaming convention in the A-A-rule can be used 
to provide an elegant, direct translation: 

aneq {lam {Xx.E x)) {lam {Xx.E' x)) :— Ilx.aneq {E x) {E' x) 

However, we appear "stuck" when we wish to encode the var-var-rulc, since there is 
no obvious way of translating the informal side-condition x ^ y to a predicate neq : 
exp — > exp — > o that succeeds only when its arguments are distinct eigenvariables. 

It is, nevertheless, still possible to define the relation between closed terms 
in AProlog, in terms of a auxiliary predicates aneq' : list exp — > exp — > exp — > o, 
freshFor : exp —^ list exp o, and neq : exp — > exp — » o: 

aneq EN aneq' [] E N 

aneq' L X Y neq X Y 

aneq' L {lam E) {lam E') Wx. freshFor x L ^ aneq' {x :: L) {E x) {E' x) 

where the auxiliary predicate freshFor has no defining clauses and neq is defined 
as 

neq X Y :— freshFor X L,mem Y L 
neq X Y :— freshFor Y L,mem X L 

We believe that this example illustrates that, just as first-order syntax is often 
too low-level because of the absence of first-class support for names and binding, 
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higher-order syntax is sometimes too high-level because it abstracts away from the 
ability to compare and generate names as first-class data. Thus, there are cases 
where neither first-order nor higher-order logic programming enables us to simply 
"concentrate on the essentials of a problem" involving names and binding. 

In this paper, we investigate a new approach in which both of the above examples 
(and a wide variety of other programs) can be implemented easily and (we argue) 
intuitively. Our approach is based on nominal logic, an extension of first-order 
logic introduced by Pitts [2003], and based on the novel approach to abstract syn- 
tax developed by Gabbay and Pitts [2002]. In essence, nominal logic axiomatizes an 
inexhaustible collection of names x, y and provides a first-order axiomatization of 
a name-binding operation (x)t (called abstraction) in terms of two primitive opera- 
tions, swapping ((a b) - t) and freshness [a # t). In addition, nominal logic includes 
a novel quantified formula l/la.0 ("for fresh a, (p holds") which quantifies over fresh 
names. 

In nominal logic, names and binding arc abstract data types admitting only swap- 
ping, binding, and operations for equality and freshness testing. Name-abstractions 
{y)t are considered equal up to a-equivalence, defined in terms of swapping and 
freshness. For example, object variables x and lambdas \x.t can be encoded 
as nominal terms war(x) and abstractions lam{{x)t) where var : id — *■ exp and 
lam : {id)exp — > exp. We can obtain a correct implementation of the to relation 
above by replacing the third clause of tc with 

tc{GJam{(x)E),arrTy{T,U)) :- x# G,tc{[{x,T)\G],E,U). 

which we observe corresponds closely to the third inference rule (reading lam{{x) E) 
as Xx.E, X # G as a; ^ FV{r), and [(x, T)\G] as {x:t} UP). Similarly, the var-var 
clause of aneq can be implemented directly as 

aneq{var{X),var{Y)) X#Y 

where the inequality side-condition x ^ y la captured by the constraint X =ff Y; all 
of the other clauses of aneq are also direct translations of their informal versions. 

We refer to this approach to programming with names and binding modulo a- 
equivalence as nominal abstract syntax. This approach provides built-in a-equiva- 
lence and fresh name generation, while retaining a clear declarative interpretation. 
Names are sufficiently abstract that the low-level details of name generation and 
a-conversion can be hidden from the programmer, yet still sufficiently concrete that 
there is no difficulty working with open terms, freshness constraints, or inequalities 
among names precisely as is done "on paper" . Nominal abstract syntax and nominal 
logic make possible a distinctive new style of meta-programming, which we call 
nominal logic programming. 

It is important to emphasize that we are not attempting to make or defend a 
claim that nominal techniques are "superior" in some sense to other techniques in 
all cases. Instead, we argue only that that nominal techniques provide an interesting 
and different approach which, in some cases (such as aneq above) , does seem more 
convenient than other extant techniques. However, higher-order and some other 
techniques certainly have advantages that are not shared by our approach, such as 
the presence of built-in, efficient capture-avoiding substitution. It seems an open 
question whether the advantages of nominal and higher-order abstract syntax can 
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be combined within a single system. 

In this paper, we describe a particular implementation of nominal logic program- 
ming, called aProlog. We also investigate the semantics of nominal logic programs 
and discuss applications of these results. 

— We first (Section 2) illustrate nominal logic programming via several examples 
written in aProlog, drawing on familiar examples based on the A-calculus and 
TT-calculus. The aim of these examples is to show that, in contrast to all other 
known approaches, aProlog programs can be used to encode calculi correctly 
yet without essential alterations to their paper representations. Thus, aProlog 
can be used as a lightweight prototyping tool by researchers developing new 
systems, or by students learning about existing systems. This section provides 
only a high-level discussion of nominal logic; readers who wish to understand the 
formal details before seeing examples may prefer to read Sections 3 and 4 first. 

— We next (Section 3) provide a summary of nominal abstract syntax and nominal 
logic needed for the rest of the paper. We introduce the domain of nominal terms, 
which plays a similar role to ordinary first-order terms in Prolog or lambda- 
terms in AProlog, then review the semantics of term models of nominal logic 
(previously developed in [Cheney 2006a] ) , and finally define a core nominal logic 
programming language. 

— Section 4 develops the semantics of nominal logic programs. This is crucial for 
justifying our claim that the notation and concepts of nominal logic match our 
intuition, and that nominal logic programs capture the informal meaning we 
assign to them. Using the foundations introduced in Section 3, we provide a 
model-theoretic semantics of nominal logic programs following Lloyd [1987]. We 
also introduce a uniform proof-theoretic semantics [Miller et al. 1991] via a varia- 
tion of the proof-theoretic semantics of CLP, investigated by Darlington and Guo 
[1994] and Leach et al. [2001]. Finally, we present an operational semantics that 
models the low-level proof search behavior of an interpreter more directly. We 
prove appropriate soundness and completeness results relating these definitions 
along the way. 

— In Section 5, we consider some applications of the semantics to issues arising in an 
implementation such as aProlog. We discuss how to use the semantics to check 
the correctness ("adequacy") of aProlog programs, and verify the correctness 
of a standard "elaboration" transformation and an optimization which permits 
us to avoid having to solve expensive, NP-completc nominal constraint solving 
problems during execution. This result supersedes an earlier characterization of 
Urban and Cheney [2005]. 

— Section 6 presents a detailed comparison of our work with previous techniques 
for incorporating support for name-binding into programming languages and Sec- 
tion 7 concludes. 

In order to streamline the exposition, many routine cases in proofs in the body 
of the paper have been omitted. Complete proofs are available in appendices. 
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Terms t, u 

Constructor typos t, u 



:= X \c \ f{t)\a \ {a)t \ {a b) ■ t \ i \ 'c' \ [] \ t :: t' \ [ii,. . . ,i„|i'] | {t,t') 



Typos cr 

Basic Kinds kq 

Kinds K 

Atomic formulas A 

Goals G 

Declarations D 




Fig. 1. Concrete syntax summary 



2. PROGRAMMING IN aPROLOG 
2.1 Syntax 

Before presenting examples, we sketch the concrete syntax we shall employ in this 
section for aProlog programs, shown in Figure 1. The concrete syntax includes 
facilities for declarations of constants, function symbols, types and type abbrevi- 
ations, clause declarations, and queries in this paper. To improve readability, the 
syntax employed in the paper differs slightly from the ASCII syntax employed in 
the current implementation. The nominal terms used in aProlog include standard 
first-order variables X, constants c, and function symbols /; also, we have new 
syntax for names a, name-abstractions (a)t, and swappings (a 6) • t. 

Names and name-abstractions are used to represent syntax with bound names in 
aProlog. The unification algorithm used by aProlog solves equations modulo an 
equational theory that equates terms modulo a-renaming of names bound using ab- 
straction. Swappings are a technical device (similar to explicit substitutions [Abadi 
et al. 1991]) which are needed in constraint solving; they do not often appear in 
programs, but may appear in answer substitutions. We will present the details of 
the equational theory in Section 3. 

aProlog also contains standard built-in types for pairing, lists, integers, and 
characters. Note that [ti, . . . , t„|t'] is a standard Prolog notation for matching 
against an initial segment of a list; it is equivalent to :: • • • :: tn ■'■ t' . 

User-defined types, including name types, can be introduced using declarations 
such as 



Also, using functional kinds, we can introduce new type constructors used for user- 
defined parametrized types. For example, list could be declared as 



Only first-order kinds are supported in the current implementation. 

Type abbreviations (possibly with parameters) can be introduced using the syn- 
tax 



tid : type. 



ntid : name_type. 



list : type type. 



Similarly, abstraction (i^)(t could be declared as 

( ) : name_type type type. 



type tid oi\ ■ ■ ■ an 



(T(ai, . . . , 



an)- 
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Likewise, uninterpreted constants and function symbols (which we call (term) 
constructors) are declared using a similar notation: 

conid : r. 

here r is a "constructor type", that is, either a user-defined type constructor ap- 
plication tid CT or a function type returning a constructor type. These restrictions 
ensure that user-defined term constructors cannot be added to built-in types, in- 
cluding name-types, lists and products. Constants and function symbols must 
return a user-defined data type; so, there can be no constants, function symbols, 
or other user-defined terms in a name type, only name-constants. 

Interpreted function and predicate symbols can be defined using the syntax 

defid :: a 

for example, 

p :: a X a ^ ] :: a —* a 

introduce constants for a binary relation p on type a and a unary function / on 
type a. There is no restriction on the return types of defined symbols. 

As in Prolog, programs are defined using Horn clauses A :— G where A is an 
atomic formula and G is a goal formula. Atomic formulas include user-defined 
predicates as well as equations /(f) = u\ in either case p or f must be a defined 
symbol of appropriate type, not a constructor. 

Goal formulas G can be built up out of atomic formulas A, freshness constraints 
a # t, equations t ^ u, conjunctions G, G' , disjunctions G; G', existential quantifi- 
cation 3X.G, or l/l-quantification Ha.G. The freshness constraint a # i holds if the 
name a does not appear free (that is, outside an abstraction) in i; equality t ~ u 
between nominal terms is modulo a-renaming of name-abstractions. For example, 
(a)(a,b)«(c)(c,b)94 (b)(b,b). 

Polymorphism. aProlog permits type variables in declarations, which are 
treated polymorphically, following previous work on polymorphic typing in logic 
programming [Mycroft and O'Kccfe 1984; Hanus 1991; Nadathur and Qi 2005]. 
Polymorphic type checking is performed in the standard way by generating equa- 
tional constraints and solving them using unification. As observed by Hanus, han- 
dling general polymorphism in logic programming may require performing type- 
checking at run-time. To avoid this, the current implementation aProlog rules out 
"non-parametric" polymorphic program clauses that specialize type variables, and 
requires all datatype constructors to be "type-preserving" . For example, the second 
clause in 

head way. list a ^ a. 

head{X,X :: L). 
head(l, 1 :: L). 

works only for a = int, not for arbitrary a, so is ruled out. Similarly, a "hetero- 
geneous list" datatype such as 

hnil :: hlist. hcons :: a x hlist — > hlist. 

is not allowed. 
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Terms e 
Types T 
Contexts r 



X I Xx.e I e e' 



x{e/x} 
y{e/x} 
(ei e2){e/x} 
{\y.e'){e/x} 



x:t e r r h e : ■ 
r\- X -.T 



y {^i^y) 

ei{e/x} e2{e/x} 

\y.e'{e/x} {y^FV{x,e)) 



r h , 



T ,x:t \- e : 



(x ^ Dom{r)) 



r h e e' 



r h Xx.t : T ■ 



Fig. 2. Lambda-calculus: syntax, substitution, and typing 

Function definitions. As in other Prolog-like languages, it is often convenient 
to have a notation for writing predicates which are easier written as functions. For 
example, the functional definition 

append :: list a x list a list a. 

append{[],M) = M. 

appendix :: L,M) ~ X :: append[L,M). 

can be viewed as an abbreviation for the relational definition 

appendp :: list a x list a x list a — > o. 

appendp{[],M,M). 

appendp{X :: L, M, X :: N) appendp{L, A/, A^). 

Using this notation for functional definitions can considerably simplify a program. 
It is well-understood how to translate programs that use function notation to equiv- 
alent purely relational programs, via a translation called flattening [Hanus 1994]. 
More sophisticated techniques such as narrowing that have been investigated in 
functional logic programming could also be used; however, doing so will require 
extending equational unification techniques to nominal logic. 

In aProlog, it turns out to be convenient to generalize this notation slightly to 
permit function definition clauses qualified by subgoals or constraints. An example 
is the subst program (discussed in Example 2.3), in which the declaration 

subst{var{Y),E, X) = var{Y) :- X # Y. 
is flattened to the clause 

substp{var{Y),E,X,var{Y)) :- X # Y. 
2.2 The A-calculus and variants 

The prototypical example of a language with variable binding is the A-calculus. 
In aProlog, the syntax of A-terms may be described with the following type and 
constructor declarations: 

id : name_type. exp : type. 

var : id —f exp. app : exp x exp — > exp. lam : (id) exp — > exp. 

Note that for this and other examples in this section, it is important to check the 
correctness of the representation of the object system (often called adequacy [Pfen- 
ning 2001]). Establishing adequacy requires first understanding the semantics of 
nominal logic programs given in Section 4. We will discuss adequacy further in 
Section 5.1. 
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Example 2.1 Typechecking and inference. First, for comparison with higher-order 
encodings, we consider the problem of typechecking A-terms. The syntax of types 
can be encoded as follows: 

tid : name_type. ty : type. varTy : tid ty. arrTy : ty x ty ^ ty. 

We define contexts ctx as lists of pairs of identifiers and types, and the 3-ary relation 
tc relating a context, term, and type: 

type ctx = list {id x ty). 

tc :: ctx X exp x ty o. 

tc{G,var{X),T) 
tciG,appiEi,E2),T') 
tc{G, lam{{x)E), arrTy{T, T')) 



mem{{X,T),G). 

tc{G, Ei,arrTy{T, T')), tc{G, E^.T). 
x#G,tci[ix,T)\G],E,T'). 



The predicate mem :: a x [a] — > o is the usual predicate for testing list membership 
(x : r G r). The freshness constraint x ^ G expresses the (often implicit) side- 
condition x ^ Dom{T). Note that for simply- typed lambda terms, it is immediate 
that X ^ DomiT) is equivalent to x # G whenever G encodes F. 

Consider the query ?- ic([], lam{{x)lam{{y)var{x))), T). We can reduce this goal 
by backchaining against the suitably freshened rule 

tc{GiMm{{xi)E^),arr{Ti,Ui)) :- xi # Gi, te([(xi, Ti)|Gi], ^i, C/i) 

which unifies with the goal with [Gi = = lam{{y)var{xi)),T = arr{Ti,Ui)]. 

This yields subgoal xi # Gi, tc([(xi, Ti)|Gi], Ui). The first conjunct is trivially 
valid since Gi = [] is a constant. The second is solved by backchaining against 
the third tc-rule again, producing unifier [G2 = [(xi, Ti)], i?2 = var{xi),Ui = 
arr{T2,U2)] and subgoal X2 # [(xi, Ti)], te([(x2, Tz), (xi, Ti)], i;ar(xi), [/2). The 
freshness subgoal reduces to the constraint X2 7^ Ti, and the tc subgoal can be 
solved by backchaining against 

<c(G3, var{X:i), T3) :- mem{{X3, Tg), G3) 

using unifier [G3 = [{x2,T2), {xi,Ti)], X^ = Xi,r3 = U2]. Finally, the remaining 
subgoal mem((xi, [72), [(x2, r2)7 (xi, T^i)]) clearly has most general solution [U2 = 
Ti]. Solving for T, we have T = arriTi, Ui) = arr(Ti, arr(T2, U2)) = arr(Ti, arr{T2, Ti)). 
This solution corresponds to the principal type of Xx.Xy.x. 
There are no other possible solutions. 

Example 2.2. Returning to the example discussed in the introduction, the query 

?- tc{W, lam{{x)lam{{x)app{var{x),var{x)))), T) 

fails with no solutions in aProlog. The following derivation steps show why this is 
the case: 

=^ T « arrTy{Ti,T2),Xi # [],tc{[{xi,Ti)],lam{{x)app{var{x),var{x))),T2) 

=^ . • • Ti « arrTy (Ti, T^), Xi # [(xj, Ti)], te([(x2, T^'), (xi, T^)], app(«ar(x), mr(x)), T^) 

=^ ■•• te([(x2, Ti'), (xi, Ti)], z;ar(x2), arrTy (T3, T^)), 

te([(x2,r{),(xi,ri)],mr(x2),T3) 
^ . • • Ti' « arrTy{T3, T^)), T{ « T3 
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The final two equations arc unsatisfiablc (since the occurs check will fail), and no 
other derivation steps are possible. 

Example 2.3 Capture-avoiding substitution. Although capture-avoiding substitu- 
tion is not a built-in operator in aProlog, it is easy to define via the clauses: 

suhst :: exp x exp x id exp. 

subst{var{X),E,X) = E. 
subst{var\Y),E,X) var{Y) 

X # y. 

subst{app{Ei,E2),E,X) ^ app{subst{Ei,E,X),subst{E2,E,X)). 
substllam{{y)E'),E,X) ^ lam{{y) subst{E' , E , X)) 

■■- y#{x,E). 

Note the two freshness side-conditions: the constraint X ^ Y prevents the first 
and second clauses from overlapping; the constraint y # {X,E) ensures capture- 
avoidance, by restricting the application of the fourth clause to when y is fresh for 
X and E. Despite these side-conditions, this definition is total and deterministic. 
Determinism is immediate: no two clauses overlap. Totality follows because, by 
nominal logic's freshness principle, the bound name y in lam{{y)E') can always be 
renamed to a fresh z chosen so that z # {X, E). 

Consider the goal 1- X = subst{lam{{x)var{y)),var{x),y). The substitution 
on the right-hand side is in danger of capturing the free variable var{x). How is 
capture avoided in aProlog? First, recall that function definitions are translated to 
a flattened clausal form in aProlog, so we must solve the equivalent goal 

substp{lam{(x)var{y)), war(x), y, X) 

subject to an appropriately translated definition of substp. The freshened, flattened 
clause 

substp{lam{{yi)E[), El, Xi,lam{{yi)E'l)) :- yi # Ei, substp{E[, Ei, Xi, E'^) 

unifies with substitution 

[E[ = var{y),Xi =y,Ei= var{x),X = lam{{yi)E'^)]. 

The freshness constraint yi ^ war(x) guarantees that var{x) cannot be captured. 
It is easily verified, so the goal reduces to substp{var{y),var{x),y,E'(). Using 
the freshened rule substp(var(X2), E2, X2, E2) with unifying substitution [X2 = 
y, E2 = var{x), E'{ = var{x)\, we obtain the solution X = lam{{yi)var{x)) . 
We can also easily implement simultaneous substitution, ssubst, as follows: 

ssubst :: exp x list {exp x id) — > exp. 

ssubst{var{X), []) = var{X) 

ssubstivar{X),[{E,Y)\S]) = ssubst{var{X), S) :- X#Y 

ssubst{var{X),[{E,X)\S]) = E 

ssubst{app{Ei, E2), S) = app(ssubst{Ei, S), ssubst{E2, S)). 

ssubst{lam{{x)E),S) ^ lam{{x) subst{E , S)) :- x # S*. 

2.2.1 References. All imperative languages, and some functional languages such 
as ML, provide support for "pointers" or "references". The semantics of references 
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typically involves threading some state (a heap fi mapping memory locations to 
values) through the evaluation. When a new reference cell is allocated, a fresh 
location must be obtained. Also, when reference is assigned a new value, the heap 
must be updated. Thus, a typical small-step semantics for references [Pierce 2002, 
Ch. 13] includes rules for allocating and updating references, such as 

I dom{y) fj,{l) =v 

rej ■ — ■ — assn — ■ ■ — aerej 



ref V I )j, — > I I [fi, I 1-^ v) I :— V \ fi — > () | :— v] !M M — * I M 

where implicitly i; is a value and I is a memory location. 

In aProlog, we can use a name-type loc for memory locations and implement 
these rules easily as follows, using auxiliary predicate value : exp —> o and function 
update :: [(loc, exp)] x loc x exp — > [{loc, exp)]: 



step :: (exp x [{loc, exp)]) x {exp x [{loc, exp)]) o. 
step{{ref{V), M), {loc{L), [{L, V)\M])) 
step{{assn{loc{L),V), M), {unit, update{M, L, V))) 
step{{deref{loc{L),M), {V, M)) 



value{V),L# M. 
value{V). 

value{V), mem{{L, V), M). 



2.2.2 Dependent types. In the previous section, we considered a simply-typed 
language, in which term variables cannot occur in types. We can also handle 
dependent types in aProlog. The dependent function type constructor Hx'.t.t' 
typically has well-formedness and introduction rules: 

F h r type P, x:t h r' type P, x:t 'r e : t' 

— — = ; Il-formation — — ; = r Il-introduction 

I h ilx:T.T type 1 h Xx.e : VVx:t.t 

As with simple types, the Il-formation rule carries an implicit caveat that x does 
not already appear in the domain of P. The freshness constraint x # G in the 
following rule is exactly what is needed again here because in a well-formed context 
P, we have Dom(P) D {}xeDom{V) ^^(-^(a^))- Hence the following rule suffices: 

wfty{G,piTy{T, (x)T')) :- wfty{G, T),x#G, wfty{[{x, T)\G],T') 

Similarly, the Il-introduction rule has an implicit constraint that x ^ Dom{T). 
If P is well-formed, then this is equivalent to x. ^ G; moreover, if P h YLx-.t.t' , 
then X # G implies that x ^ T as well (although x may still occur in T'). So the 
following rule suffices: 

tc{G, lam{{x)E),piTy{T, {x)T')) :- x # G, tc{[{x, T)[G],E, T')). 

2.2.3 Substructural type systems. Substructural type systems (or associated log- 
ics) such as linear logic [Girard 1987] or bunched implications [O'Hearn and Pym 
1999] can also be implemented directly in aProlog. For example, "multiplicative" 
linear logic rules such as 

Fi h ei : Ti P2 h 62 : T2 

; — (g)-introduction 

Fl,P2 I- (61,62) : Ti ® T2 

can be translated to program clauses such as 

tc{merge{Gi, G2) , lpair{Ei, E2), tensorTy{Ti,T2)) :- tc{Gi, Ei,Ti), tc(G2, i?2, 72). 
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Process terms 
Actions 



I r.p I p|g I p + g I x{y).p 
T I x{y) I xy I x{y) 



xy.p 



■ y]p I 7^ y]p I ix)p 



chan 


name_type. 








proc 


type. 








ina 


proc. 








tau 


proc — > proc. 




act 


type. 


par 


proc X proc — » proc. 




tau_a 


act. 


sum 


proc X proc —> proc. 




in^a 


chan X chan 


in 


chan X (chan)proc — 


» proc. 


fout^a 


chan X chan 


out 


chan X chan X proc - 


-> proc. 


bout^a 


chan X c/ian 


match 


chan X chan X proc - 


-> proc. 






mism,atch 


chan X chan X proc - 


-» proc. 






res 


(chan)proc — > proc. 









act. 
act. 
act. 



Fig. 3. The vr-calculus: syntax and aProlog declarations 

where we define merge as follows: 

merge ([], G) = G. 

merge([(X,T)|G],G') = [(X, T)|merge(G, G')] :- X # G'. 

Note the use of freshness to enforce that the domains of the two contexts do not 
overlap; again, the constraint X # G' is equivalent to a; ^ Doni(r') for the well- 
formed contexts in which we are interested. 

Bunched type systems can also be implemented in aProlog, but we cannot use 
lists to represent bunched contexts; instead we have to define the bunches as a new 
data type, and define appropriate operations for splitting and merging contexts. 

2.3 The TT-calculus 

The TT-calculus is a calculus of concurrent, mobile processes. Its syntax (following 
Milner et al. [1992]) is described by the grammar rules shown in Figure 3. The 
symbols x,y, . . . are channel names. The inactive process is inert. The r.p process 
performs a silent action t and then does p. Parallel composition is denoted p\q and 
nondeterministic choice hy p + q. The process x{y).p inputs a channel name from 
X, binds it to y, and then does p. The process xy.p outputs y to x and then does 
p. The match operator [x = y]p is p provided x = y, but is inactive if x ^ y. The 
mismatch operator [x ^ y]p, in contrast, is p provided x and y differ, and inactive 
otherwise. The restriction operator (jj)p restricts y to p. Parenthesized names (e.g. 
y in x{y).p and {y)p) are binding, and fn{p), bn{p) and nij)) denote the sets of free, 
bound, and all names occurring in p. Capture-avoiding renaming is written t{x/y}. 

Milner et al. [1992] 's original operational semantics (shown in Figure 4, symmetric 
cases omitted) is a labeled transition system with relation p — ^ q indicating "p 
steps to q by performing action a". Actions r, xy, x{y), x{y) are referred to as 
silent, free output, input, and bound output actions respectively; the first two are 
called free and the second two are called bound actions. For an action a, n{a) is 
the set of all names appearing in a, and bn{a) is empty if a is a free action and is 
{y} if a is a bound action x{y) or x{y). Processes and actions can be encoded using 
the declarations shown in Figure 3. 

Much of the complexity of the rules is due to the need to handle scope extrusion, 
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• p' bn{a) n fn{q) = p 



xy , x(z) , 
> p q > (? 



T.p - 



p\q 

w t fn{{z)p) 

x{'w) 



p\q ^ p'\q'{y/z} 



[x y\p p' 



p ""S:^ pi q 'i^ q' p-^p' yf n{a) P ' P' V ^ fn{(y)p) 



p\q {w){p'\q') {y)p (y)p' 



{y)p p'{w/y} 



Fig. 4. 7r-calculus transitions 



renjp :: proc X chan X chan — 

safe :: act X pr —* o. (* tests 

saf eitau^a, P). 

safelfout.a(X,Y),P). 

safe{bout.a{X,Y),P) :- Y # P. 

safe(in.a{X, Y), P) Y # P. 

step : : 

step{tau(P) , tau^a, P). 

step(par{P,Q),A,par{P',Q)) :- 
step{par{P, Q), tau_a, par{P' ,renjp{Q' , Y, Z))) : — 

step{sum{P,Q),A,P') :- 
steplout(X, Y, P), fout.aiX, Y),P). 
step{in{X, (z)P), in.a{X, W),ren.p{P, W, z)) 
step{match(X, X, P), A, P') 
step(mismatch{X, Y, P), A, P') 
step{par{P, Q), tau^a, res{{z)par{P' , Q'))) 

step{res{(y)P), A, res((y)P')) 
step[resl{y)P), bout.a(X, W),ren.p{P', W, y)) 



> proc. (* definition omitted *) 
bn{A) n fn{P) = *) 



pr X act X pr o. (* encodes p p' *) 

step{P, A, P'), safe(A, Q). 
step{P, fout.a{X, Y), P'), 
step{QAnM{X,Z),Q'). 
step{P,A,P'). 

W # {z)P 

step{P,A,P'). 

X # Y,step{P,A,P'). 

step(P, bout.a(X, z), P'), 

step(Q,inji{X, z),Q'). 

y # A,step{P,A,P'). 

step{P, fout.a{X, y),P'),y #X, 

W # (y>P 



Fig. 5. aProlog implementation of the vr-calculus 



which occurs when restricted names "escape" their scope because of communica- 
tion. In {{x)ax.p)\{a{z).z{x).{)) — > {x'){p\x' (x).Q)), for example, it is necessary 
to "freshen" x to x' in order to avoid capturing the free x in a{z).z{x).Q. Bound 
output actions are used to hft the scope of an escaping name out to the point where 
it is received. The rules can be translated directly into aProlog (see Figure 5). The 
function ren_p(P, Y, X) performing capture-avoiding renaming is not shown, but 
easy to define. 

We can check that this implementation of the operational semantics produces 
correct answers for the following queries: 

?- step{res{{x)par{res{{y)out{x, y, ina)), in{x, (z)out(z, x, ma)))). A, P). 
A = tauM, P = res{{\/z^)res{{z(,i'^)par{ina, oui(z643, yss, ina)))) 
?- step{res{{x)out(x, y, ina)), A, P). 
No. 



ACM Journal Name, Vol. V, No. N, Month 20YY. 



14 • J. Cheney and C. Urban 



This aProlog session shows that {x){{y)xy.O \ x{y).yx.O) {x){y){0 \ yx.O), but 
{x){x{y).0) cannot make any transition. Moreover, the answer to the first query is 
unique (up to renaming). 

Rockl [2001] and Gabbay [2003] have also considered encodings of the 7r-calculus 
using nominal abstract syntax. Rockl considered only modeling the syntax of terms 
up to Qf-equivalence using swapping, whereas Gabbay went further, encoding tran- 
sitions and the bisimulation relation and proving basic properties thereof. By [Gab- 
bay 2003, Thm 4.5], Gabbay 's version of the 7r-calculus is equivalent to our conven- 
tional representation. In fact, Gabbay's presentation is a bit simpler to express in 
aProlog, but we have chosen Milner et al. [1992] 's original presentation to empha- 
size that informal "paper" presentations (even for fairly complicated calculi) can 
be translated directly to aProlog programs. 

2.3.1 Dyadic T:-calculus. The polyadic 7r-calculus adds to the 7r-calculus the 
ability to send and receive n-tuples of names, not just single names. It is a useful 
intermediate stage for translations form other languages (such as the A-calculus, 
object calculi, or the ambient calculus) to the pure 7r-calculus. We can easily define 
a special case of dyadic 7r-terms (that can send and receive pairs of names) in 
aProlog: 

in2 : chan x (chan) {chan)proc —> proc. 

out2 : chan x chan x chan x proc — > proc. 

unpoly : : proc — *■ proc. 

unpoly{out2{C, X, Y, P)) = res{{z)out{C, z, out{z, X, oui(z, Y, unpoly{P))))) 

:- z#(C7,X,y,P). 

unpoly {in2 {C, {x){y)P)) = in{C, {z)in{z, {x)in{z, {y)unpoly{P)))) 

■■- ^#{C,P). 

2.3.2 Translation from X-calculus to ir-calculus. Both call-by-value and call-by- 
name translations from the A-calculus to (dyadic) 7r-calculus can be developed. We 
assume that the A-calculus variables and 7r-calculus names coincide. 

cbv : : exp x chan — > proc. 

cbv{var{X),P) = out{P,X). 
cbv{app{M,N),P) — res{{q)par{ cbv{M,q), 

in{q, (v)res((r)par( cbv{N , r), 

m(r, {\N)out2{M, w, P, ina))))))) 
cbv{lam{{x) M) , P) — res{{y)out{P,y,rep{in2{y, (x)(q)c6w(A/, q))))). 

This can be seen to be equivalent to an informal definition (paraphrasing [San- 
giorgi and Walker 2001, Table 15.2]): 

Vlxjp ^ px 

VIM Njp = {q) {VlMjq I q{v).{r){VlNjr \ r{w).v{w,p))) 
VfXx.Mjp = p{y).\y{x,q). VlMjq 

2.4 Discussion 

We conclude our high-level exposition by discussing aProlog in the context of other 
logic programming systems. As refiected by our choice of examples, at present 
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we view aProlog as rather narrowly focused on the domain of prototyping and 
experimenting with logics, operational semantics for programming and concurrency 
calculi, and type systems and other program analyses. We believe that this is a 
rich domain containing certain classes of problems for which aProlog's uniform and 
declarative treatment of names, binding and generativity is an especially good fit 
(although not providing support for substitution and contexts comparable to that 
offered by higher-order abstract syntax). At present, our prototype interpreter aims 
to support rapid prototyping and experimentation with such systems, not general- 
purpose programming, just as several constraint logic programming languages are 
oriented towards particular domains. 

Nevertheless, it is an interesting question whether nominal logic programming 
features are advantageous in general-purpose logic programming. We believe the 
case for this is presently ambiguous, at best. Even for highly symbolic programs 
such as compilers and theorem provers, programmers typically rely on direct ac- 
cess to variable names for some operations (e.g., printing out informative error 
messages); moreover, names sometimes have additional structure (as in module 
systems). Thus, significant changes to such programs may be necessary to accom- 
modate nominal logic's abstract treatment of names. In particular, nominal logic's 
equivariance principle [Pitts 2003] guarantees that there is no linear ordering on 
names (from the point of view of nominal logic). This means that efficient data 
structures indexed by names (such as symbol tables) can hardly be implemented di- 
rectly as nominal logic programs and would instead have to be provided as built-in 
operations. 

On the other hand, other systems such as AProlog [Nadathur and Mitchell 1999], 
Qu-Prolog [Staples et al. 1989] and FreshML [Shinwell et al. 2003] have demon- 
strated that support for name-binding is useful as a general-purpose programming 
feature even if access to names is limited (as in AProlog or FreshML). Besides ob- 
vious applications to symbolic programming, names have been used in Qu-Prolog 
in multithreading and message passing. Moreover, Pitts and Shinwell [2007] have 
shown that certain functions and relations on names (including linear orderings) 
can be added to FreshML without damaging its semantics. Such results have yet 
to be extended or specialized to nominal logic proper, however, and this is an area 
for future work. 

The only way to find out how well nominal techniques work in general logic pro- 
gramming is to try to use them to develop significant programs. This appears to 
first require developing a production-quality compiler or interpreter for aProlog, 
together with libraries and other programming support. As our semantics (Sec- 
tion 4) demonstrates, nominal logic programming can be viewed as "constraint 
logic programming over the domain of nominal terms" ; thus, it may be possible 
to add support for some features of nominal logic programming to an existing ma- 
ture CLP system simply by implementing it as an additional constraint domain. 
However, we leave this and other implementation concerns for future work. 
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(Types) u 


::= I' <5 1 {y)o- 


(Contexts) E 


::= ■ 1 S,X:(T | S#a;y 


(Terms) t 


::= a\c\fi^\X \ (ab)-t \ {a)t 


(Formulas) 


::= T \ ± \ p{t) \ t u \ a # t\t ^ u 




1 </>=>i/) 0Ai/)|(/)V-!/) 




VX:fT.(/> 1 3X:u.<j) \ \Aa:u.(l> 



Fig. 6. Syntax of nominal logic 



a : e S x : g- g S c : 5 G C f ■ ^ ~* S £ C T,ht:a S h a : S h t : g- 

Eha:;/ Shxicr Sl-c:5 Sh f{t) -.5 Eh (a)t : {u)a 

a: u j:\-b: u Ehf:^ Eh t.Micr Y: h a : u Shticr 

E h (a b) ■ t : o- Shtsi M,t-^n:o T, h a # t : o 

EI-0,?/):o E,X:(T|-9i:o E#a:i/ h fli : o 

E h T,± : o Eh(/)A?/', fliV?/), E h VX:cr.(^, 3X:(t.(/) : o E h l/laii/.fli : o 



Fig. 7. Well-formedness for nominal terms and formulas 



3. NOMINAL LOGIC, HERBRAND MODELS, AND LOGIC PROGRAMS 
3.1 Syntax 

The syntax of nominal logic is shown in Figure 6. We assume fixed countably infinite 
sets of variables V and names A. A language C consists of a set of data types 6, 
name types v, constants c : 6, function symbols f : a ^ S, and relation symbols 
p : a ^ o, where we write o for the type of propositions. Types a also include 
abstraction types {v)(t; additional type constructors such as pairing are omitted 
to simplify the presentation. First-class function types are not included, although 
the declarations of function and relation symbols in C employ suggestive notation. 
The novel term constructors include names a G A, name-abstractions {a)t denoting 
a-equivalence classes, and name-swapping applications (a b) ■ t. The formulas of 
nominal logic include all connectives and quantifiers of (sorted) first-order logic 
with equality; additional formulas include freshness (a # t) and the l/l-quantified 
formulas (l/la:t^.(/)). Quantification over types mentioning o is not allowed. Well- 
formedness is defined for terms and formulas in Figure 7. Most cases arc standard; 
note that l/l-quantified names are added to the context using the I]#a:t/ context 
form. 

Context bindings include ordinary variable bindings E, X:a and name bindings 
S^a:i/. As usual, we adopt the convention that names and variables are not re- 
peated in a context, so that it is impossible to write X:a,X:a' or a:i^#a:j/'. This 
convention implicitly constrains many inference rules with the side condition that 
X or a does not appear in some context S. We sometimes use the notations VS [(/>], 
3S[(/)], and S, E', defined as follows: 

V • [0] = 3 E, • = S 

VE,X:ct[(/)] = VE[VX:cr.0] 3E,X:cr[(/)] = 3EpX:tT.0] E,(E',X:cr) = (E,E'),X:cr 
VE,a:i/[(/)] = VE[M:i/.0] 3Y.,a,:y[(i>] = 3E[b1:z/.0] E,(E',a:z^) = (E,E'),a:i/ 

Contexts play two roles in our presentation of nominal logic (following Cheney 
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(a b) ■ a = b 
(a b) • b = a 
(a b) ■ a' = a' 


(a b) ■ c = c 
(a b) . /(t) = /({a b) ■ t) 
(a ^ a' 7^ b) (a b) ■ (a')i = ((a b) ■ a')(a b) ■ t 


(a^b) 


A?=i ^a#ti Na#b Na#t 


l=a # b 1= a 


#c Na #/(<'/) ^a#(b)t Na#(a>t 
AILi i= « «i 1= t Si « 1= a # « N t Ri (a b) ■ M 


l=asia l=c~c 


^/(t?)~/K) ^(a)tsi(a>« ^(a)tsi(b>« 

f ?a « (a b) ■ t - « 
t ^ u t ^ u 



Fig. 8. Swapping, freshness, equality, and equivariance for ground nominal terms 



[2005d]). First, as usual they track the types of scoped variables as well as those 
of names introduced by l/l-quantifiers. Abusing notation, we sometimes identify a 
context with the corresponding set of bindings, and write a:i/ G S or X:cr G S 
to indicate that a name a has type v or variable X has type a in E. Second, 
contexts track freshness information. In nominal logic, a name introduced by the 
l/l-quantifier can always be assumed fresh for all other values in scope; thus, contexts 
need to track the order in which names and variables were introduced. This is the 
reason why we write name-bindings as "E^aw. 

3.2 Semantics 

Figure 8 defines the meaning of the swapping, freshness, equality, and equivariance 
operations on ground terms. Swapping exchanges two syntactic occurrences of a 
name in a term (including occurrences such as a in (a)t.) The freshness relation 
defines what it means for a name to be "not free in" (or fresh for) a term. Intuitively, 
a name a is fresh for a term t (that is, a # i) if t possesses no occurrences of a 
unenclosed by an abstraction of a. The equality relation on nominal terms is defined 
using freshness and swapping. The only interesting cases are for abstractions; the 
second rule for abstractions is equivalent to more standard forms of a-renaming, 
as has been shown elsewhere [Gabbay and Pitts 2002; Pitts 2003]. Finally, the 
equivariance relation t ^ u indicates that two terms are equal up to a permutation 
of names; it is needed for nominal resolution. 

We sometimes refer to the set of "free" names of a term supp{t) = A — {a | a # 
as its support. Also, swapping and support are extended to formulas by setting 
(a b) • QX.(j)[X] = QX.{z b) • for Q e {V, 3} and (a b) • V\a' 4 = Ma'. (a b) • 0, 
provided a' ^ {a,b}; thus, using a-renaming, we have (a b) • VX.I/la.p(a, b, X) = 
VX.I/la'.p(a', a, X). Likewise, swapping can be extended to sets of terms or formulas 
by setting (a b) • S* = {(a b) • t | t e S]. 

For the purposes of this paper, it suffices to restrict attention to term models of 
nominal logic in which the domain elements are nominal terms with equality and 
freshness defined as in Figure 8. We write Be for the Herbrand base, that is, the 
set of all ground instances of user-defined predicates p. 

We view a Herbrand model 7i as a subset of Be that is equivariant, or closed 
under swapping (that is, 7i C (a b) for any a, b.) The semantics of nominal logic 
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Ht=T 




■Hi=<l>Vip 




W 1= or W 1= V 


W ^± 




?i 1= (/) => V 




Ti \= <j> implies Ti. \= ip 


W 1= A 


^ A£H 


n 1= VX;o-.(^ 




for alH : cr, W 1= 






■H 1= 3X:(T.(/) 




for some t : a, Ti. i= 4>[t/X] 


H\=a#u 


\= a # u 


•H 1= V\aM.<f> 




for all b : 1/ ^ supp( 1/1 a: !/.<}!>), 




<(=> W 1= and W N 






?f 1= (b a) • 0. 



Fig. 9. Term model semantics of nominal logic 



formulas over term models is defined as shown in Figure 9. The only nonstandard 
case is that for 1/1. The meaning of the l/l-quantifier can be defined in several 
equivalent ways: 

Lemma 3.1. The following are equivalent: 

(1) T-L\= l/la:i^.0, that is, 7i N (a h) ■ (f) for every b ^ suppllAa'.iy.cf)) 

(2) n^(f> 

(3) The set {b | H 1= (a b) • 0} is cofinite 

(4) H\= {a h) ■ (p for some b ^ supp{\Aa:i'.<f>) 

Proof. It is immediate that (1) implies (2,3) and that (2) implies (4). Case 
(3) implies (4) because the sets {b | ?i N (a b) ■ 0} {b | b ^ supp{\Aa.(j))} are both 
cofinite so have nonempty intersection. Case (4) is equivalent to (1) because 

3a. a # a? A (/)(a, x) <==^ Va.a ^ x ^ (l){a, x) 

is a theorem of nominal logic for any such that FV{(t)) C {a, x} [Pitts 2003, Prop. 
4]. □ 

Remark 3.2. In light of Lemma 3.1, we could instead have defined Ti. \= l/la.0 in 
several alternative ways, such as (2). However, definition (1) is preferable for the 
subsequent developments because it corresponds closely to a natural "one-step de- 
duction operator" on Herbrand models for l/l-quantified formulas; see Definition 4.6. 

We define ground substitutions 6 as functions from V to ground terms. Given a 
context E, we say that a ground substitution 6 satisfies E (written 9 : E) when 

e{X) -.a 6> : E a # g 6> : E 
~ e,X ^v: E,X:cr : E#a:i/ 

where a ^ 9 abbreviates a f^ 0(X) for each X G Dom{6). For example, [X ^ a] 
satisfies E = X:v and E' = a:v,X:v, but not E" = X:vf^a:v. Since contexts grow to 
the right, we should read a (sub-)context E#a:i^ as saying that a is fresh for all the 
names in E and for (the values of) all variables in E; but, a may appear in variables 
occurring to the right of a (that is, values introduced after a was introduced). 

We generalize the satisfiability judgments as follows. Given sets of formulas F, A, 
we write 

— Ti N F (for F closed) to indicate that H\= (f) for each G F 

— F N A (for F, A closed) to indicate that for every TC, H\= T implies ?i N A 

— [E] 6* N A to indicate that g : E and 1= e{A) 
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(Constraints) 


C 


:= TU«= 


u\a#t\t^u\C hC \ 3X:a.C \ \Aa:a.C 


(Goals) 


G 


:= T M 


C\G AG' \ GVG' \ 3X:a.G \ \Aa:<T.G 


(Program clauses) 


D 


:= T M 


D AD' \ G ^ D\ MX-.a.D \ Wa-.a.D 



Fig. 10. Constraints, goals, and program clauses 



— [S] r, 6* 1= A to indicate that 9 : S and ^(r) N 6'(A) 
— [S] r 1= A to indicate that [S] T, 6* 1= A for every 9 : S 

— VI][0] (or E1I][0]) for the formula obtained by V-quantifying (or El-quantifying) aU 
variables and l/l-quantifying aU names in E, in order. 

Note that, for example, X^a : ■ ^ a ^ X but a, X : ■ \/ a ^ X . 

We enumerate a number of basic properties of satisfiability, most of which are 
standard. 

Lemma 3.3. // [S] T N and [S] T, N V then [S] r\=ip. 

Lemma 3.4. // [E] F 1= 3X:a.ip and [E,X:cr] F, V' ^ </< hold then [E] F ^ 3X:ct.(/) 
holds. 

Lemma 3.5. // [E] F N l/la:t/.i/' aJirf [S#a:t/] F, ?/' ^ /lo/rf i/ien [S] F 1= \Aa:i^.(j> 
holds. 

Lemma 3.6. // [S] F, N (/) i/ien [S] F, A ?/'2 N f^- 

Lemma 3.7. // [S] F N i'l and [E] F,-02 N t/ien [E] F,-0i -02 N 

Lemma 3.8. // [T.,X:a] ^,^|J,9[X ^ t] \= (jy where T. h t : a and X ^ FV{T,(j)) 
then [S] T,yX:a.ilj,9^ cj). 

Lemma 3.9. // [S#a:i^] F, i/' N </> for some a ^ supp(F, (p) then [S] F, \Aa:v.Tp N 0. 
3.3 Nominal logic programs 

In Section 2, we employed a concrete syntax for aProlog programs that is more 
convenient for writing programs, but less convenient for defining the semantics and 
reasoning about programs. We take the view that aProlog programs are interpreted 
as theories in nominal logic, just as pure Prolog programs can be viewed as theories 
of first-order logic. Consequently, we will now adopt an abstract syntax for aProlog 
programs that is based on the syntax of nominal logic. 

Figure 10 displays three special classes of formulas used frequently in the rest of 
the article. Constraints C consist of formulas built using only atomic constraints, 
conjunction, and existential and l/l-quantification. We consider atomic constraints 
including equality, freshness, and equivariance, that is, equality modulo a permuta- 
tion of names. Nominal Horn goal formulas G include atomic formulas, constraints, 
conjunctions, disjunctions, and existential and l/l-quantification; program clauses D 
include atomic formulas, conjunctions, subgoal implications, and universal and l/l- 
quantification. A nominal logic program is a set V of closed program clauses D. 

As usual in logic programming, we interpret a program clause A :— G with free 
variables X as an implicitly quantified, closed formula \/X.G ^ A. Moreover, if the 
program clause contains free names a, they are interpreted as implicitly l/l-quantified 
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outside of the scope of the universahy-quantified variables; thus, a clause A :— G 
with free variables X and free names a is considered equivalent to the nominal logic 
formula \Aa.yX.G =^ A. 



4. SEMANTICS 

So far, wc have motivated aProlog purely in intuitive terms, arguing that aProlog 
concepts such as freshness and name-abstraction behave as they do "on paper" . 
However, in order to prove the correctness of the example programs we have con- 
sidered, it is important to provide a semantic foundation for reasoning about such 
programs. We shall investigate model-theoretic, proof-theoretic, and operational 
semantics for nominal logic programs. 

Classical model-thcorctic semantics for logic programming [van Emden and Kowal- 
ski 1976; Lloyd 1987] defines the meaning of a program as a Hcrbrand model con- 
structed as the least fixed point of a continuous operator. We take for granted the 
theory of Herbrand models for nominal logic introduced in the previous section (full 
details are presented in [Cheney 2006a] ) . Wc then define an appropriate least fixed 
point semantics for nominal logic programs and prove that the least fixed point 
model and the least Herbrand model coincide. 

While model-thcorctic semantics is convenient for relating formal and informal 
systems, it is not as useful for implementation purposes. Instead, syntactic tech- 
niques based on proof theory are more appropriate because they provide a declar- 
ative reading of connectives as proof search operations in constructive logic. Miller 
et al. [1991] introduced the concept of uniform proof; a collection of program clauses 
and goal formulas is considered an abstract logic programming language if goal- 
directed proof search is complete with respect to the underlying logic. Accordingly, 
we introduce a proof theory for a fragment of intuitionistic nominal logic which per- 
forms goal-directed proof search (decomposes complex goals to simple atomic for- 
mulas) and focused resolution (searches systematically for proofs of atomic formulas 
based on the syntax of program clauses). We prove the soundness and completeness 
of this system with respect to the model-theoretic semantics. 

Finally, wc consider the operational semantics of nominal logic programs at an 
abstract level. The proof theoretic semantics contains a number of "don't-know" 
nondetcrministic choices. We provide an operational semantics (following the se- 
mantics of constraint logic programming [Jaffar ct al. 1998; Darlington and Guo 
1994; Leach et al. 2001]) which delays these choices as long as possible, and models 
the behavior of an abstract interpreter. 

Along the way we prove appropriate soundness and completeness results relating 
the model-theoretic, proof-theoretic, and operational semantics. These results en- 
sure the correctness of a low-level interpreter based on the operational semantics 
relative to the high-level approaches, and provide a rich array of tools for analyzing 
the behavior of nominal logic programs. The model-theoretic semantics is especially 
useful for relating informal systems with nominal logic programs, while the proof- 
theoretic semantics is convenient for proving properties of program transformations. 
We shall consider such applications in Section 5. 

ACM Journal Name, Vol. V, No. N, Month 20YY. 



Nominal Logic Programming • 21 



4.1 Model-theoretic semantics 

In this section we define the model-theoretic semantics of nominal logic programs. 
We show that least Herbrand models exist for nominal Horn clause programs and 
that the least Herbrand model is the least fixed point of an appropriate continuous 
one-step deduction operator, following Lloyd [1987]. This section also relies on 
standard definitions and concepts from lattice theory [Davey and Priestley 2002]. 

Although the overall structure of our proof follows Lloyd, it differs in some impor- 
tant technical details. Most importantly, wc do not assume that clauses have been 
normalized to the form A G. Instead, all definitions and proofs are by induction 
over the structure of goals and program clauses. This is advantageous because it 
permits a much cleaner treatment of each logical connective independently of the 
others; this is especially helpful when considering the new cases arising for the 1/1- 
quantifier, and when relating the model-theoretic semantics to the proof-theoretic 
and operational semantics. Most proofs are in Appendix A 

4.1.1 Least Herbrand Models. It is a well-known fact that least Herbrand models 
exist for Horn clause theories in first-order logic. This is also true for nominal Horn 
clause theories. We rely on a previous development of Herbrand model theory for 
nominal logic [Cheney 2006a] , culminating in the completeness of Herbrand models 
for Horn clause theories: 

Theorem 4.1 Completeness of nominal Herbrand models. A collection 
of program clauses is satisfiable in nominal logic if and only if it lias a Herbrand 
model. 

Lemma 4.2. Let A fee a program and A4 a nonempty set of Herbrand models of 
A. Ttien Ti. = f^A4 is also a Herbrand model of A. 

An immediate consequence is that a least Herbrand model Ha = Hl^ I ^ ^ ^} 
exists for any nominal Horn theory A. Moreover, TYa consists of all ground atoms 
entailed by A, as we now show. 

Theorem 4.3. Let A be a program. Then Ha = {A e Be \ A A}. 

4.1.2 Fixed Point Semantics. Classical fixed point theorems assert the existence 
of a fixed point. However, to ensure that the fixed point of an operator on nominal 
Herbrand models is still a Herbrand model wc need an additional constraint: we 
require that the operator is also equivariant, in the following sense. 

Definition 4.4. A set operator T : V{Bc) — > ^{Bjr) is called equivariant if 
(a b) . TiS) = T((a b) • S). 

Theorem 4.5. Suppose T : ^{Bjr) 'P{Bc) is equivariant and monotone. 
Then Ifp(T) = C\{S G V{Bc) \ T{S) C 5} is the least fixed point of T and is 
equivariant. If, in addition, T is continuous, then Ifp(r) = T'^ = \Si=o'^''{^)- 

Definition 4.6. Let 5" be a Herbrand interpretation and D a closed program 
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clause. The one-step deduction operator Tjj : 'P{Bc) 'P{Bc) is defined as follows: 



We define Ta as Tdi/\---/\d„ provided A = {Di, . . . , £)„} and each Di is closed. 

Remark 4.7. Many prior expositions of the model-theoretic semantics of logic 
programs treat "open" Horn clauses A :— Bi, . . . , Bn as the basic units of compu- 
tation. For example, the one-step deduction operator is usually formulated as 



This definition is not straightforward to extend to nominal logic programming be- 
cause of the presence of the l/l-quantifier. Although it can be done [Cheney 2004b, 
Chapter 6] , the resulting model-theoretic semantics is difficult to relate to the proof- 
theoretic and operational semantics. Instead, we prefer to define T by induction 
on the structure of program clauses. This necessitates reorganizing our proofs, 
but the resulting argument is more modular with respect to extensions based on 
connectives. 

Lemma 4.8. For any program A, Ta is monotone and continuous. 

Lemma 4.9. For any a, b e A, (a b) • To (5) = b)-_D((a b)-S'). In particular, 
if A. is a closed program with FV{A) ~ supp(A) = 0, then Ta is equivariant. 

Lemma 4.10. If M is a fixed point ofT^, then M\= A. 

Lemma 4.11. If M\= A then M is a fixed point ofT^- 

Theorem 4.12. Ha ^ Ifp(TA) 7a ■ 

Proof. Clearly = Ifp(TA) by Theorem 4.5. Moreover, by Lemma 4.11 and 
Lemma 4.10, the set of models of A equals the set of fixed points of Ta, so wc must 
have Ha ~ Ifp(TA), since Ha is the least model of A and Ifp(TA) is the least fixed 
point of Ta. □ 

4.2 Proof-theoretic semantics 

In proof-theoretic semantics, an approach due to Miller et al. [1991], well-behaved 
logic programming languages are characterized as those for which uniform (or goal- 
directed) proof search is complete. Uniform proofs were defined by Miller et al. 
[1991] as sequent calculus proofs in which right-introduction rules are always used 
to decompose non-atomic goal formulas before any other proof rules are considered. 

Remark 4.13. Uniform proofs have been investigated previously for nominal 
logic programming [Gabbay and Cheney 2004; Cheney 2005d; 2006b]. Our presen- 
tation is based on that of Cheney [2006b] ; this approach resolves various problems 




S 

SU{A} 




TvX:a.D{S) 



Ut:<T TD[t/X]{S) 
Ub:iy^supp(Ha._D) ^(a b)-D{S) 



T{S) = {0{A) I 3{A :- Bi, . . . ,B„ e P),e.S ^ 0{B,), . . . ,e{B„)} 
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in earlier work, principally the problem of making proof search goal-directed for 
(valid) nominal logic formulas such as Ha.3X.A # X . 

For example, the system NL^ of [Cheney 2005d] contains a freshness rule (F) 
that asserts that a fresh name can be introduced at any point in an argument: 

[s#a] r ^ 
mr^cj, (a ^ S) 

Here, the judgment [S] F =^ can be read as "For any valuation satisfying S, if all 
the formulas of F hold then (j> holds." As the following partial derivation suggests, 
the goal formula \Aa.3X.a # X cannot be derived in NL^ without using [F) before 
3R, because otherwise there is no way to obtain a ground name b distinct from a 
with which to instantiate X: 

a#b : ■ ^ a # b 

a#b : • ^ 3Xa # X 

— p 

a : ■ ^ 3X.Z # X 

• : • ^ \Aa.3X.a # X 

We adopt a variation of the NL^ proof theory of [Cheney 2005d] that solves this 
problem: specifically, we define an "amalgamated" proof system NL'^ that sep- 
arates the term-level constraint-based reasoning from logical reasoning and proof 
search. This technique was employed by Darlington and Guo [1994] and further 
developed by Leach et al. [2001] in studying the semantics of constraint logic pro- 
grams. 

In this section we introduce the amalgamated proof system NL^ and relate 
it to the model-theoretic semantics in the previous section. We also introduce 
a second residuated proof system that eliminates the nondeterminism involved in 
the constraint-based rules; this system forms an important link between the proof 
theory and the operational semantics in the next section. 

4.2.1 The amalgamated system NL^ . The proof rules in Figure 11 describe a 
proof system that first proceeds by decomposing the goal to an atomic formula, 
which is then solved by refining a program clause. The uniform derivability judg- 
ment [E] A; V G indicates that G is derivable from A and V in context S, 

while the focused proof judgment [S] A; V ^ A indicates that atomic goal A is 
derivable from A and V by refining the program clause D (using A to help solve 
any residual goals). The judgment [S] V N C is the ordinary constraint entailment 
relation defined in Section 3. 

These rules are unusual in several important respects. First, the hyp rule requires 
solving an equivariance constraint of the form A ^ B; thus, from p(a, b) we can 
conclude p(b, a) since (a b) mapsp(a, b) to p(b, a). In contrast usually the hypothesis 
rule requires only that A A' . Our rule accounts for the fact that equivalent atomic 
formulas may not be syntactically equal as nominal terms, but only equal modulo a 
permutation, due to nominal logic's equivariance principle [Pitts 2003]. Second, the 
proof system treats constraints specially, separating them into a context V. This 
is necessary because the role of constraints is quite different from that of program 
clauses: the former are used exclusively for constraint solving whereas the latter 
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[E] V ^ C [S] A; V ^ Gi [S] A; V ^ G2 
T_R , ^ con ^ ^ AR 



[S] A; V => T [E] A; V ^ G [S] A; V ^ Gi A G2 

[S]A;V^Gi [S]VN3X:o-.G [E, A; V, G ^ G 

V-Rj j— r — 7 — — —77 — ~~ 3Fi 



[S]A;V^GiVG2 [S] A; V ^ 3X:o-.G 

[S] V N l/la:i/.C [E#a:i/] A; V,G ^ G [E] A; V -^^ ^ (-D G A) 

1/1/? '^p/ 

p] A; V ^ l/la:i/.G [E] A; V ^ A 



[E] V 1= A' ~ A [E] A; V A [El A; V ^ A [E] A; V ^ G 

/iJ/P ALi =>L 

[E] A; V ^ A [E] A; V -^i^ A [E] A; V A 

[E]VN3X:<T.G [E,X:ct] A; V,C A [E] V N l/la:v.G [E#a:!y] A; V, G A 

VL \AL 



[S] A; V -X^i^ A [S] A; V ^^'^^ A 



Fig. 11. Uniform/focused proof search for intuitionistic nominal logic 

are used in backchaining. Third, the I/IL, \AR, 3R and VL rules are permitted to 
introduce a constraint on the quantified name a or variable X rather than providing 
a witness term. Although these rules resemble the "cut" sequent calculus rule, 
which is typically excluded from uniform proof systems, these rules do not implicitly 
build "cut" into the system; rather, they merely generalize the ability to instantiate 
a variable in a VL or 3R rule to a constraint setting in an appropriate way. 

This treatment compartmentalizes all reasoning about the constraint domain in 
the judgment [E] V N C, and makes it possible to retain "uniform" proofs in the 
presence of constraints for which a term instantiation of a quantified variable in 
rules 3i?, VL may not be available. For example, in constraint logic programming 
over the real numbers, the goal 3x.x^ = 2 has no witnessing term. 

Furthermore, this approach solves the problem discussed in Remark 4.7, because 
the goal \Aa.3X.a # X now has the following uniform derivation: 

[E#a] V, T 1= aX.a # X [E#a, X] A; V, T, a # X =^ a # X 



[E#a] V 1= l/la.T [E#a] A; V, T =i> 3X.a # X 

V\R 



3R 



[E] A; V ^ V\a3X.a #X 

since [E#a] V N 3X.a # X is clearly valid for any V (take X to be any ground 
name besides a). The price we pay is the introduction of nondeterministic choices 
of constraints in the quantifier rules. We will show how to eliminate this source of 
nondeterminism using a residuated proof theory in Section 4.2.2. 

We state without proof the following basic "weakening" properties. For brevity, 
here and elsewhere, we frequently say "if Ji, . . . , J„ then J{, . . . , J^" rather than 
"if Ji, . . . , J„ have derivations then J{, . . . , has a derivation", for judgments 

Ll , . . . , Jn 7 J\i ■ ■ ■ 7 Jm • 

Lemma 4.14. 

{1) If [S] A; V => G (or [S] A; V A) and S, E' is a well- formed context then 
[S, E'] A; V =^ G (or [S, E'] A; V ^ ^J. 
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(2) If [E] A; V =^ G (or [S] A; V ^ and A C A' f/ien [S] A'; V =^ G ("or 
[E] A';V-^^;. 

(5) // [E] A; V =^ G for [E] A; V ^ and [E] V N V then [E] A; V =^ G 
for [E] A;V' ^ a;. 

We first show that the restricted system is sound with respect to the model- 
theoretic semantics. 

Theorem 4.15 (Soundness). 

(1) If [E] A; V G is derivable then [E] A, V N G. 

(2) If [E] A; V ^ G is derivable then [E] A, D, V N G. 

Proof. (1) For part (1), proof is by induction on derivations; the only novel 
cases involve 1/1. 
— Suppose we have derivation 

[E]VNI/la.G [E#a] A; V,G=^G 



[E] A; V =^ l/la.G 



\AR 



By induction we have that [E#a] A, V, G N G. Appealing to Lemma 3.5, we 
conclude [E] A, V N l/la.G. 
— Suppose we have derivation 

[E]A;V^A (DeA) 
[S] A; V =^ A 

Then by induction hypothesis (2), we have that [E] A, Z3,V 1= A. Since 
DeA, clearly [E] A N D so we can deduce [E] A, V 1= A. 

(2) For the second part, proof is by induction on the derivation of [E] A; V ^ G. 
The interesting cases are hyp and \AL. 
— Suppose we have derivation 

[E] V N A' - A 

; hyp 

[E] A; V ^ ^ 

We need to show [E] A,j4', V N A. To sec this, suppose 9 satisfies V and 
W is a Herbrand model of A,0{A'). Since [E] V N A' A, there must be 
a permutation tt such that tt-9{A') = 9{A). Moreover, since 7i N 6{A'), by 
the equivariance of H we also have H N n-9{A') so 7i N 9{A). Since 9 and H 
were arbitrary, we conclude that [E] A, A' ,\7 \^ A. 
— Suppose we have derivation 

[ElVNMa.G [E#a]A;V,G^A 

— ^ \AL 

[E] A;V^^ 

By induction, we know that [E#a] A,!?, V,G N A. Since [E] V 1= l/la.G it 
follows that [E#a] A, Z?, V, G N A, so by Lemma 3.3 we have [E#a] A, £), V N 
A. Moreover, by Lemma 3.9, we can conclude [E] A, l/la.I?, V N A. 
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This completes the proof. □ 

We next show a restricted form of completeness relative to the model-theoretic 
semantics. Since the model-theoretic semantics is classical while the proof theory 
is constructive, it is too much to expect that classical completeness holds. For 
example, [X:u, Y:v] •NX«rvX#yis valid, hni [A, B\ ■■■ =^ A k B\/ A B 
is not derivable (and indeed not intuitionistically valid). Instead, however, we can 
prove that any valuation that satisfies a goal G also satisfies a constraint which 
entails G. 

Proposition 4.16. For any J^,A,G,D,i > 0: 

{1) If [S] T^, 6* N G then there exists V such that [E] 6* N V and [E] A; V =^ G is 
derivable. 

{2) //[E] Te(D){T'^),0 N A but [E] T'^^Oi/ A then there exists V such that [E] 61 ^ V 
and [E] A; V ^ A. 

Proof. For the first part, proof is by induction on i and G; most cases are 
straightforward. Wc give two illustrative cases. 

— If G ~ A and z > 0, then there are two further cases. If [E] T^~^, 6 \= A then we 
use part (1) of the induction hypothesis. Otherwise [E] T^^,9 \f A. This imphes 
that Q{A) e Ta{T}^^) = Udga^^C^a"^)' so we must have 9{A) G Td{T'^^) 
for some D G A. Observe that since D is closed, 9{D) = D. Consequently 
[E] Te(£,)(T^~^), 6* 1= A but [E] T^"^ 1= A, so induction hypothesis (2) applies and 

we can obtain a derivation of [E] A; V ^ A. The following derivation completes 
this case: 

[E]A;V^A (i^eA) 
[E] A;V=^A 

—If G = \Aa:iy.G', assume without loss of generality a E. Then [E] Tj,, N l/la.G' 
imphes [E#a] T}^,9 N G'. By induction, there exists V such that [E#a] A; V =^ 
G' is derivable. We can therefore derive 

[El I/la. V N I/la. V [E#a:zyl A; Ha.V, V =^ G' 
[E] A; Ma.V =^ Ha.G' 

using weakening to obtain the second subderivation. 

Similarly, the second part follows by induction on D, unwinding the definition of 
To in each case. We show the case for 1/1 L. 

— If D = \Aa:i^.D\ assume without loss of generality that a ^ Y^,6, A. Then 6{D) = 
\Aa.e{D') and since Tvi^.0{D'}{S) = Ub^supp(Ma.9(D')) ^(a h)-eiD'}iS), so we must 
have [E] Ub^supp(^ia.e(D')) ^(^ b)-9{D'){TX),d ^ A. By definition, this means that 
Si^) e Ub^supp(i/ia.(?(D')) b)-e{D'){Tl). Since by assumption a ^ T.,e,A and 
a ^ swpp{\Aa.D'), we must have e{A) e T^^ a)-e{D'){Ti). Note that (a a) • e{D') ^ 
0{D'), and 6 : E^/^a, hence [E=i^a] Tg(^£)r){T^),6 N A. Consequently, by induction, 
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there exists a V such that [S] 1= V and [S#a] A; V A. Therefore, we have 

[SI Wa.V N Ha.V [S#al A; Ma.V, V ^ A 
— ■ ■ ; I/IL 

[E] A; Ma.V A 

Moreover, clearly [S#a] 6* 1= V implies [S] 9 \= l/la.V. 

The complete proof can be found in Appendix B. □ 

Theorem 4.17 (Algebraic Completeness). // [S] A,9 \= G then there ex- 
ists a constraint V such that [S] A, 1= V and [S] A; V ==> G is derivable. 

Proof. If [E] A,6' N G, then there is some n such that [E] T'l,e N G, so 
Proposition 4.16 applies. □ 

We can also extend this to a "logical" completeness result (following [Jaffar et al. 
1998]), namely that if an answer G classically implies G, then there is a finite set 
of constraints which prove G and whose disjunction covers G. We first establish 
that a goal formula is classically equivalent to the disjunction (possibly infinite) of 
all the constraints that entail it. 

Lemma 4.18. Let E 6e a context, A a program, G a goal, and Tq = {G | 
[S] A;G=^G}. Then [E] A ^ G VTg- 

Proof. For the forward direction, if [E] A,6' 1= G then by Theorem 4.17 there 
exists a constraint V such that [E] 1= V and [E] A; V G. Hence, E Fq, 
so [E] A,0N VTg. 

Conversely, if [E] A,0 \= \/Tg, then for some constraint G £ Fq, [E] A, 6* N G. 
Consequently [E] A; G G holds, so by Theorem 4.15, we have [E] A, G N G. 
Since [E] A, 61 N G, we conclude that [E] A, 6* N G. □ 

Theorem 4.19 (Logical Completeness). // [E] A, G N G then there ex- 
ists a finite set of constraints Fq such that [E] G N and for each C' £ Fq, 
[E] A; G' =^ G. 

Proof. Again set Fg = {G' | [E] A; G' =^ G}. By Lemma 4.18, [E] A, G N 
yVc- Hence, [E] A,G N \/Tg- By the Compactness Theorem for nominal 
logic [Cheney 2006a, Cor. 4.8], it follows that there is a finite subset Fq C Fg such 
that [E] A,G N VTo- By definition, every G' G Fq C Fg satisfies [E] A; G' =^ 
G. □ 

4.2.2 The residuated system RNLp" . The rules in Figure 11 have the potential 
disadvantage that an arbitrary constraint G is allowed in the rules 3R, ML, \AL, \AR. 
Such arbitrary constraints arguably correspond to a building a limited form of "cut" 
rule into proof search. Figure 12 shows a residuated proof system that ehminates 
this nondeterminism. (A similar idea is employed by Cervesato [1998]). Specifically, 
the judgment [E] A => G \ G means that given context E and program A, goal 

G reduces to constraint G; similarly, [E] A A \ G means that goal formula G 
suffices to prove A from D. 
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[S] A ^ Gi \ Ci [E] A ^ Ga \ Ga 
<=°'^ T^^m 7^ ^ , ^ AR 



[E] A => G \ G [E] A => Gi A G2 \ Gi A G2 

[S] A ^ Gi \ G [S, Xio-l A => G \ G 

VR, — — — TR 7—— — — 7--^-; — - 3R 



[E] A ^ Gi V G2 \ G [S] A ^ T \ T [S] A => 3X:a.G \ 3X:a.C 

[S#a:i/] A ^ G \ G p] A -^^ A \ G [E] A => G \ G (-D e A) 

V\R pT^r-; . , „ back 



[E] A =^ \Aa:u.G \ l/la:i/.G ' [E] A A \ G 



[S] A A \ G [El A ^ A \ G' 



[E] A A \ A ~ A' [E] A °'^-°'> A \ G [E] A A \ G A G' 

[E,X:a]A^A\G [E#a:i/] A A \ G 

VL r I/IL 



[E] A A \ 3X:a.G [E] A J^^^ A \ Ma:i..G 



Fig. 12. Residuated uniform/focused proof search 

To see why this residuated system reduces nondeterminism, recaU the goal \Aa.3X.a 

X from the previous section. Using the residuated system, we can derive: 

con 

[S#a,X] A^a#X\a#^ 

[E#a] A ^ 3X.a # X \ 3X.a # X 

[E] A ^ \Aa3X.a #X \ \Aa3X.a # X 

Note that this simply says that in order to solve the goal \Aa3X.a # X, it suffices 
to solve the constraint \Aa.3X.a ^ X, which is valid so equivalent to T. 

Theorem 4.20 (Residuated Soundness). 

(1) //[S] A =^ G \ C then [S] A; C =^ G. 

(2) If [S] A; V =^ G and [S] A ^ A \ G then [E] A;V ^ A. 

Theorem 4.21 (Residuated Completeness). 

(1) If [S] A; V => G then there exists a constraint C such that [S] A =^ G \ C 
and [S] V N G. 

{2) If [S] A; V A then there exists goal G and constraint G such that [E] A ^ 
A \ G and [E] A =^ G \ G and [E] V N G. 

Both proofs are straightforward structural inductions (see Appendix B). 
4.3 Operational Semantics 

We now give a CLP-style operational semantics for nominal logic programs. The 
rules of the operational semantics are shown in Figure 13. A program state is a 
triple of the form E(r | V). Note that the backchaining step is defined in terms of 

residuated focused proof, [E] A ^ A \ G. 

The operational semantics is quite close to the residuated proof system. We 
now state the operational soundness and completeness properties. The proofs are 
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i](G,r 1 V) 




(if 3L> G A.p] A ^ A \ G) 


(C) i](c,r 1 V) 




i](r 1 v,G) 




(V, G consistent) 


(T) E(T,r| V) 




- s(r 1 V) 






(A) I](GiAG2,r 


IV) - 


i](Gi,G2,r 


V) 




(V,) E(Gi VG2,r 


IV) - 


i](G„r 1 V) 






(3) S(3X:CT.G,r 


V) - 


T.,X:a{G,T 


V) 




(M) S(Ha:i/.G,r 


V) - 


S#a:j.(G,r 


V) 





Fig. 13. Operational semantics transitions for nominal logic programs 

straightforward by cases or induction; some details are presented in an appendix. 
To simplify notation, we write [E] A G \ G where F = Gi , . . . , G„ and G = 
Gi, . . . , G„ to abbreviate [E] A =J> Gi \ Gi, . . . , [E] A => G„ \ G„. In addition, we 
will need to reason by well-founded induction on such ensembles of derivations. We 
define the subderivation relation D < £ to indicate that 2? is a strict subdcrivation 
of £, and write TD <* £ for the multiset ordering generated by <. 

Proposition 4.22 amounts to showing that each operational transition corresponds 
to a valid manipulation on (multisets of) residuated proofs. 

Proposition 4.22 (Transition Soundness). // E(G | V) — > E'(G' | V) 
and [E'] A =^ G' \ G' then there exist C such that 

[1] [E] A =^ G \ G and 
{2) [E'] V',G' N V,G. 

Theorem 4.23 (Operational Soundness), if E(G | V) — >* E'(0 | V) 
then there exists C such that [E'] V N V, G and [E] A =^ G \ G. 

The transition completeness property (Proposition 4.24) states that for any con- 
figuration E(F I V) such that the goals F have appropriate derivations in the 
residuated proof system, there is an operational transition step to a new state with 
appropriately modified derivations. This is essentially the (complicated) induction 
hypothesis for proving completeness of the operational semantics with respect to 
the other systems (Theorem 4.25). 

Proposition 4.24 (Transition Completeness). For any nonempty G and 
satisfiable V, G, if we have derivations V of [E] A G \ C then for some E', 
V', and G' we have 

{!) E(G I V) — * E'(G' I V), 

[2) There exist derivations V' of [E'] A =^ G' \ G', where V' <* V 

(3) 3E[V] N 3E'[V'] 

Theorem 4.25 (Operational Completeness). //[E] A =^ G \ G and\/,C 

is satisfiable then for some E' and V', we have E(G | V) >* E'(0 | V') and 

3E[V,G] N 3E'[V']. 
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4.4 Summary 

The goal of this section has been to present and show the equivalence of model- 
theoretic, proof-theoretic, and operational presentations of the semantics of nominal 
logic programs. We abbreviate ^{G \ 0) — >* S,S'(0 | C) as S(G) J| 3E'[C]. The 
soundness and completeness theorems we have established can be chained together 
as follows to summarize these results: 

Corollary 4.26. //S(G) J| V then: 

{1) there exists C such that [S] V 1= C and [E] A =^ G \ C; 

(2) [E] A; V =^ G; and 

(3) [E] A,V N G 

Proof. Immediate using Theorem 4.23, Theorem 4.20, and Theorem 4.15. □ 
Corollary 4.27. 

(1) If [E] A => G \ G and C is satisfiable then for some V, we have E(G} 4 V 
and [E] G N V. 

(2) If [E] A; V => G and V is satisfiable then for some V', we have E(G) 4 V 
and [E] V N v. 

{3) If [E] A, 61 N G then for some V, we have E(G) J| V and [E] 6* ^ V. 

(4 ) // [E] A, G N G then there exists a finite collection of constraints V such that 
E(G) 4 V, /or each V, G V awd [E] G t= Vi V ■ • • V V„. 

Proof. Immediate using Theorem 4.25, Theorem 4.21, Theorem 4.17, Theo- 
rem 4.19. □ 

These results ensure that the operational semantics computes all (and only) cor- 
rect solutions with respect to nominal logic, so the proof-theoretic and model- 
theoretic semantics can be used to reason about the behavior of programs; this is 
often much easier than reasoning about the operational semantics, as we shall now 
demonstrate. 

5. APPLICATIONS 
5.1 Adequacy 

As discussed in Section 2, when we use aProlog programs to implement a formal 
system, it is important to ensure that the relationship between the formal and infor- 
mal system is correct. To some extent this property, often called adequacy [Pfenning 
2001], is in the eye of the beholder, because the fact that the "real" system lacks a 
precise formal characterization is often the problem we are trying to solve by formal- 
izing it. Nevertheless, for nominal logic programs, we can emulate typical adequacy 
arguments by checking that the expressions, relations, and functions of the informal 
language being formalized correspond to their representations in aProlog. 

For example, recall the encodings of informal A-tcrms, types, and contexts as 
aProlog expressions, introduced in Section 2.2. We make the simplifying assump- 
tion that the variables of object A-terms and types are names of type id and tid 
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respectively. Then we can translate A-terms, types, and contexts as follows: 
•"x^ = var(x) 

"ei 62^ = appC 61^,^62^) 

'~Xx.e^ ~ lam{{x)'~e~') 



t'^ = arrTy{'~T^,^T'^) '~T,x:t^ = [(x,^r^)|^r^ 



We also introduce an auxiliary predicate valid-ctx : [{id, ty)] — > o, needed to 
characterize the "well-formed" contexts F (in which no variable is bound more 
than once). It is defined by the rules: 

valid.ctx{[]). valid_ctx{[{X,T)\G]) :- X # G,valid.ctx{G). 

Using the model-theoretic semantics introduced in Section 4.1, it is straightforward 
(if tedious) to show that: 

Proposition 5.1. Lei Exp, Ty, Ctx be the sets of syntactic expressions, types, 
and contexts of the X-calculus. Let FV{—) be the free- variables function, and 
— =a — and —[—:=—] = — the a-equivalence and substitution relations respec- 
tively, defined in Barendregt [1984, Ch. 2]. 

(1) The following functions are bijective: 

Exp/=^ ^ {e I \- e : exp} 
Ty^{t\ ht:exp} 
Ctx^{.g| hg:[{id,ty)]} 

(2) e =a e' if and only if ""e^ ~ '~e'~'. 
(5) ^e[x:=y,y:=x]^ = (xy).^e^ 

(4) X ^ FV{e) if and only if x f[ '~e^. 

(5) e[x := e'] = e" if and only if subst{^e~', ^e'^, x) « ^e"^ 

(6) r is well-formed if and only if validjztx{f~T~^) . 

(7) For well-formed T, x^ Dom(T) if and only if xfl= ^F"'. 
{8) The: T if and only if te(^F^, ^e^, ^r^) . 

5.2 Correctness of elaboration 

In an implementation, program clauses are often elaborated into a normal form 
VS[G ^ A] which is easier to manipulate and optimize. We define the elaboration 
of a program clause or program as the result of normalizing it with respect to the 
following rewrite system: 

G^T T G^G'^D-^GAG'^D 

DAT-^D G ^ D A D' {G ^ D) A {G ^ D') 

TAD-^D G ^yX.D yX.{G ^ D) {X ^ FV{G)) 

\/X.T T G=^ \Aa.D ^ Ma.(G ^ D) (a ^ supp{G)) 

\Aa.T T 'iX.(DAD') VX.D AVX.D' 
A, DAD' A,D,D' V\a.{D A D') V\a.D AlAa.D' 

A,T A yX.lAa.D --^ V\a.\/X.a # X ^ D 

It is straightforward to show that this system is terminating and confluent (up 
to a- and multiset-equality) and that elaborated programs consist only of closed 
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formulas of the form VI][G' A] where VS is of the form l/laVX. Moreover, this 
translation clearly preserves the meaning of the program since all of the rewrite 
rules correspond to valid equivalences in nominal logic. 

5.3 Avoiding expensive nominal constraint problems 

We have focused on reducing proof search for nominal logic programs to constraint 
solving over the theory of nominal terms. The latter problem, while beyond the 
scope of this paper, is naturally central to an implementation. Unfortunately, like 
many constraint domains encountered in constraint logic programming, full nominal 
constraint solving is NP-hard [Cheney 2004a] and algorithmically involved [Cheney 
2005a] . In this section, we discuss the state of the art of nominal constraint solving 
and identify an optimization which can be used to avoid the need to handle NP- 
complete constraint problems in order to execute many typical programs (including 
all of the examples in this paper) efficiently in practice. 

At present, full equivariant resolution (^-resolution) is not implemented in aProlog. 
Instead, it uses Urban et al. [2004] 's nominal unification algorithm, to which we re- 
fer in this paper as restricted nominal unification. This algorithm solves a tractable 
special case, specifically, it works for constraints involving only w or =ff that satisfy 
the following ground name restriction: 

Definition 5.2. We say that a term, formula, or constraint is (ground) name- 
restricted if, for every subformula or subterm of one of the forms 

a # t {ab)-t {a)t 

the subterms a, b are ground names. 

In the proof theoretic semantics, we can model the use of equational unification 
for resolution by replacing the hyp rule with hyp^ 

[S] V N .4 w A' 

; — ^yPw 

[S] A; V ^ A 

in which the stronger condition [E] V 1= A « A' is required to conclude [S] A; V 

A. We write [E] A; V =>pa G and [E] A; V A for uniform or focused proofs in 
which hyp~ is used instead of hyp, and refer to such proofs as ^-resolution proofs, 
to contrast with the ^-resolution proofs using the original hyp rule. It is easy to 
verify that ^-resolution proofs are sound with respect to ordinary derivations and 
that all constraints arising in such proofs for name-restricted programs and goals 
are name-restricted. 

Unfortunately, «-resolution is incomplete relative to the full system, because 
unlike in first-order logic, two ground atomic formulas can be logically equivalent, 
but not equal as nominal terms. Instead, because of the equivariance principle, 
two ground atomic formulas are equivalent if they are equal "up to a permutation" 
(that is, related by ~). Equational resolution fails to find solutions that depend on 
equivariance. 

Example 5.3. The simplest example is the single program clause l/la.p(a). If we 
try to solve the goal 3X.p{X) against this program, then we get a satisfiable answer 
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constraint \Aa3X.p{a) « P^X). However, if we pose the (logically equivalent) query 
Hb.p(b) then proof search fails with the unsatisfiable I/la, b.p(a) ^ p(b). 

This example shows that equational resolution is incomplete for name-restricted 
programs. Moreover, ^-resolution over name-restricted terms remains NP-complete 
via an easy reduction from the NP-completeness of equivariant unification [Cheney 
2004a]. Perhaps counterintuitively, however, this does not appear to be a problem 
for most programs encountered in practice. In particular, all of the programs pre- 
sented in Section 2, even those including clauses such as 

tc{G,lam{{x)E),arrTy{T,T')) :- x # G,tc{[ix,T)\G], E,T'). (1) 

seem to work correctly using only w-resolution, despite its incompleteness. 

In previous work [Urban and Cheney 2005], the authors investigated this situ- 
ation and developed a (rather complicated) test for identifying clauses for which 
^-resolution proof search is complete. Informally, this test checks whether any 
names mentioned by a clause are "essentially" free in its head. However, this intu- 
ition is difficult to capture syntactically, as the following examples demonstrate: 

Example 5.4. Suppose we require that names only appear in abstractions in the 
head of the clause. This rules out the problematic clause Ha.p(a). However, «- 
resolution is still incomplete for such clauses. For example, consider 

\Aa.yX.q{{a)X,X). (2) 

This clause can prove goal q({a)a,a) for any name a. Since (a)a w (b)b for any 
names a,b, the clause also proves g((b)b, a) for any names a, b. Yet w-resolution 
proof search for the goal I/la, h.q{{a)a, b) fails: 

[E#a#b,a^X'] A ^'^^'^''''''^ g((a)a, b) \ g((aOX^ ^ g((a)a, b) 

[S#a#b] A ^-^^■^»-)^-^), g((3)3^b) \ qi{a'),X'X')^q{{a)a,h) 

[S]#a#b] A =^ g((a)a, b) \ \Aa' 3X.q{{a')X' , X') ^ g((a)a, b) 
[E] A =^ Ha, b.g((a)a, b) \ Ma, b, a' 3X.q({a')X' , X') « q((a)a, b) 

since the constraint \Aa,h,a' 3X.q{{a')X' ,X') « (j((a)a, b) is unsatisfiable. In con- 
trast, the equivariance constraint I/la, b, a'.3X.q((a')X', X') ~ q{{a)a,h) is satisfi- 
ablc, since we may set X = a' to obtain problem q{{a')a', a') ^ q{{a)a, b) and then 
swap a' and b to make the two terms equal. 

Example 5.5. Suppose we forbid names anywhere in the head of the clause, ruling 
out \Aa.VX.q{{a)X,X). Incompleteness can still arise, as the following program 
illustrates: 

\Aa.yX.r{X) :- X ^ a. (3) 

because this program logically implies goal l/la.r(a) but w-resolution produces the 
unsatisfiable constraint l/la,a'.r(a) « r{X),X w a'. 

Example 5.6. Suppose we forbid names anywhere in a clause. This means that 
only "first-order" Horn clauses not mentioning names, abstraction, freshness, or 
swapping can be used as program clauses. While this does mean that ordinary 
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first-order logic programs can be executed efficiently over nominal terms, it rules 
out all interesting nominal logic programs. 

In the rest of this section, we provide a new characterization of the program 
clauses for which w-resolution is complete that is much easier to prove correct 
and to check than the original formulation in [Urban and Cheney 2005]. In this 
approach, we identify a class of program clauses called \A-goal clauses, show how 
to translate arbitrary program clauses D to 1/1-goal clauses H-DH, show that the 
behavior of an arbitrary program clause under w-resolution is equivalent to that 
of its l/l-goal translation, and finally show that «-resolution is complete for l/l-goal 
clauses. Hence, if a clause is equivalent to its l/l-goal translation, then pa-resolution 
proof search is complete for the clause. 

These results can be applied in two different ways. First, in an implementation 
that does not provide full ^-resolution (as is the case in the current implementa- 
tion), they show that proof search is complete for many typical programs anyway, 
and provide a systematic way for the implementation to warn the programmer of 
a potential source of incompleteness. Second, in an implementation that does pro- 
vide full ^-resolution, they can be used to recognize clauses for which more efficient 
nominal unification can be used instead of equivariant unification. 

5.3.1 \A-goal clauses. We say that a program clause is l/l-goal if it has no sub- 
formula of the form \Aa.D. However, l/l-quantified goals l/la.G are allowed. Such 
goals and program clauses are generated by the BNF grammar: 

G ::= T\A\C\GAG'\G\/G'\ 3X.G \ \Aa.G 
D :■= T\A\DAD'\G^D \ yX.D 

Arbitrary (normalized) program clauses of the form l/laVX[G ^ p{t)] can be 
translated to l/l-goal clauses in the following way: 

||l/laVX[G ^39(t)]|| = Vf[(Ma.3X.f« Z AG) ^ p{Z)] 

Note, however, that the l/l-goal translation of a clause is not equivalent to the 
original clause, in general: 

Example 5.7. Recalling Example 5.3, consider the translation || l/la.p(a) || = VZ[(l/la.a 
Z) =J> p{Z)]; the subgoal in the latter clause can never be satisfied since a must be 
fresh for Z. 

Example 5.8. Consider the translation of (2): 

\\\Aa^X[p{{a)X,X)]\\ = VZi, Z2[{\Aa3X.{a)X ^Z^AX^Z^)^ p{Zi, Z2)] . 

The latter clause cannot derive p{{a)a, b), so differs in meaning from the former. In 
fact, the l/l-goal clause is logically equivalent to p{{a)X,X) :— a # X. 

Example 5.9. Consider the translation of (3): 

||MaVX[a « X ^ r{X)]\\ ^VZ[{\Aa3X.X « Z A a « X) ^ r{Z)]. 

The goal \Aa3X.X « Z A a ~ X is never satisfiable since a will always be fresh for 
X M Z. 
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Example 5.10. Any l/l-goal program clause VX[G p{i)] (including any purely 
first-order clause) is equivalent to its l/l-goal translation VZ[{3X.t sa ZAG) => p{Z)]. 

Example 5.11. Consider the l/l-goal translation of (1): 

^ZuZ2,Z3[V\x3G,E,T, T'. 

Zi « G AZ2 « lam{{x)E) AZ3 « arrTy{T,T') A tc{[{x,T)\G], E,T') 

^tc{Zi,Z2,Z3)]. 

Technically, the above clause is not literally equivalent to the original third clause; 
instead, it is equivalent to 

tc{GJam{{x)E),arrTy{T,T')) :- x# {G,T,T'),tc{[{x,T)\G], E,T'). 

which imposes the additional restriction that x # T,T'. These additional con- 
straints clearly do not affect the meaning of the program in a simply typed setting 
where types cannot contain variable names; moreover, as discussed in Section 2.2.2, 
if types can depend on term variables, these constraints follow from x # G provided 
G is well-formed and T, T' are well-formed with respect to G. 

As the above examples suggest, the l/l-goal translation of a clause is equivalent 
to the original clause precisely when the clause is well-behaved with respect to «- 
resolution. We now formalize this observation, by showing that a clause has the 
same behavior as its l/l-goal translation under the w-resolution semantics, and then 
showing that w-resolution proof search is complete for l/l-goal clauses. 

Proposition 5.12. Let context S, A, D, and A be given, with D normalized to 
the form V\aiX[G =^ pit)]. Then there exist Gi and G2 such that [S] A A\Gi 
and [E] A - — ^~ A \ G2 are derivable and such that [S] 1= Gi G2. 

Proof. A derivation of a normalized D = l/laVJf [G p{i)] must be of the form 



[£#a,X] A^^^\p(t)^A 

[S#a,X] A A\p{t)^AAG 

[S#a1 A ""^-^^P^'K ^ A \ 3X.p{t) ^AAG 

[S] A A \ V\S3X.p{t) ^AAG 

Similarly, L»'s l/l-goal translation \\D\\ = \fZ.[{\Aa3X.tf^ Z AG) ^ p{Z)], can only 
have a derivation of the form 



[S, Z] A ^^p, A \ p{Z) « A 
A ^'"'■^'^■''^'''''^^'^'^. ^ A\p{Z) ^ AAV\a.3X.Z ^tAG 
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Now observe that 

3Z.p{Z) ^ AA\Aa.3X.tK Z AG ^ 3Z .V\a3X.p{Z) k A At Z AG 

^ 3Z.m3X.p{i) K aag 
^ \AS3X.p{i) ^AaG 

This concludes the proof. □ 

Using the above lemma, it is straightforward to show that: 

Theorem 5.13. Let S, A, V, G be given and suppose A' is the result of replacing 
some program clauses D G A with \\D\\. Then [S] A; V =>~ G is derivable if and 
only if [E] A'; V G is derivable. 

5.3.2 Completeness of -resolution. We now prove the completeness of w-rcs- 
olution for l/l-goal programs. We first need a lemma showing that Ri-backchaining 
derivations from l/l-goal clauses and programs are stable under application of per- 
mutations. The full proofs can be found in Appendix D. 

Lemma 5.14. Let A be a \A-goal program and n be a type-preserving permutation 
of names in S. 

(1) // [S] A; V G then [E] A; V tt-G. 

(2) //[E] A;V A then [S] A; V ir-A. 
Theorem 5.15. If A is \A-goal then 

(1) // [E] A; V =^ G is derivable, then [S] A; V G is derivable. 

{2) If [E] A; V A is derivable, there exists a n such that [E] A; V ^ ^ > ~ A is 
derivable. 

Note that Theorem 5.15 fails if V\L is allowed: for example, faced with a derivation 

[E#a] A;V^A 

, . „ I/I 

[E] A; V ^ A 

we can obtain [E#a] A; V " "^> ~ A by induction, but since tt may mention a, it is 

not possible in general to conclude [E] A; V ^ ^^""> ^ tt'-A for some tt'. (This can 
be seen for D =p{a),A =p(b),7r = (a b) in Example 5.3.) 

5.3.3 Discussion. We introduced l/l-goal programs above as a way of justifying 
using Urban et al. [2004] 's name-restricted nominal unification. However, the com- 
pleteness of ^-resolution still holds if we consider full nominal unification, in which 
variables may appear in place of names anywhere in a term. The current implemen- 
tation also solves constraints a # i where a may also be a variable; constraints such 
as X ^ Y used in aneq and .subst are of this form. Conjunctions of constraints of 
the form X ^ t:-X and X ^ tt-Y can encode finite-domain set constraint problems, 
so their satisfiability is NP-hard, but such constraints are delayed until the end of 
proof search and then tested for satisfiability by exhaustive search. 

Although we have argued that many typical programs work fine using ^-resolution, 
it still seems worthwhile to investigate full '^-resolution. We conclude this section 
with a discussion of examples where full equivariant unification seems helpful. 
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Example 5.16. The following program clauses 
aneq{var{X),var{Y)) :- X #Y. 

subst{var{X),N,var{Y)) ==var{X) :- X # Y. 

step{mismatch{X, Y, P),A,P') :- X # Y, step{P, A, P'). 

are equivalent to the clauses 

aneq(yar{x),var{y)). 

subst{var{x), N,var{y)) = var{\). 

step{mismatch{x,y, P), A, P') :— step{P, A, P'). 

which require equivariant unification to execute correctly. Thus, equivariant uni- 
fication allows us to write clauses using a convention that syntactically distinct 
names are semantically distinct, instead of explicitly needing to specify this using 
freshness constraints. 

Example 5.17. In a type inference algorithm such as Algorithm W [Milner 1978], 
consider the predicate spec that relates a polymorphic type cr to a list of distinct 
variables a and monomorphic type r such that a — \/d.T. This predicate is use- 
ful both for quantifying a monomorphic type by its unconstrained type variables 
and for instantiating a polymorphic type to some fresh type variables. It can be 
implemented using the following aProlog program clauses: 

spec{raonoTy{T) , [], T). 

spec{polyTy{{3)P)MLlT) :- a # L, spec{P, L,T). 

However, the second clause is not H-goal, nor equivalent to its l/l-goal form, because 
a can (and often will) occur free in T. Thus, it is not handled correctly in the cur- 
rent implementation. Correct handling of the above definition requires equivariant 
unification. 

6. COMPARISON WITH PREVIOUS WORK 

Several techniques for providing better handling of syntax with bound names in 
logic programming settings have been considered: 

— Higher-order logic programming and higher-order abstract syntax [Miller and 
Nadathur 1987; Nadathur and Miller 1998; Nadathur and Mitchell 1999; Pfenning 
and Elliott 1989; Pfenning 1991; Pfenning and Schiirmann 1999] 

— Lambda-term abstract syntax, a variation on higher-order abstract syntax based 
on Miller's higher-order patterns [Miller 1991] 

— Qu-Prolog, a first-order logic programming language with binding and substitu- 
tion constraints [Staples et al. 1989; Cheng et al. 1991; Nickolas and Robinson 
1996; Clark et al. 2001] 

— Logic programming based on binding algebras, an approach to the semantics 
of bound names based on fimctor categories [Hamana 2001; Fiore et al. 1999; 
Hofmann 1999]. 

We also relate our approach with functional programming languages that provide 
built-in features for name-binding, such as AIL\ [Miller 1990], FreshML [Pitts and 
Gabbay 2000; Shinwell et al. 2003; Shinwell and Pitts 2005; Pitts and ShinweU 
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2007; Pettier 2007] , and Delphin [Schiirmann et al. 2005] , as well as recent efforts 
to provide nominal abstract syntax as a lightweight language extension [Pettier 
2005; Cheney 2005c]. 

6.1 Logic programming with names and binding 

6.1.1 Higher-order logic programming. Higher-order abstract syntax [Pfenning 
and Elliott 1989] is a powerful and elegant approach to programming with names 
and binding that is well-supported by higher-order logic programming languages 
such as AProlog [Nadathur and Miller 1998; Nadathur and Mitchell 1999] or Twelf 
[Pfenning 1991; Pfenning and Schiirmann 1999]. In higher-order logic programming, 
we consider logic programs to be formulas of a higher-order logic such as Church's 
simple type theory Church [1940] or the logical framework LP [Harper et al. 1993]. 
Higher-order logic programming provides logically well-founded techniques for mod- 
ularity and abstraction [Miller 1989; 1993] and provides advanced capabilities for 
programming with abstract syntax involving bound names and capture-avoiding 
substitution. 

These capabilities are ideal for programming a wide variety of type systems, pro- 
gram transformations, and theorem provers [Hannan and Miller 1988; Pfenning 
1991; Felty 1993; Nadathur and Miller 1998]. Thus higher-order logic program- 
ming is an excellent tool for prototyping and designing type systems and program 
transformations. 

While this approach is elegant and powerful, it has some disadvantages as well. 
These disadvantages seem tied to higher-order abstract syntax's main advantage: 
the use of constants of higher-order type to describe object language binding syntax, 
mcta-language variables to encode object variables, and meta-language hypotheses 
and contexts to encode object-language assumptions and contexts. In particular, 
the fact that object-language names "disappear" into meta-level variables means 
that computations that involve comparing names (such as alpha-inequality) or gen- 
erating fresh names (as in the semantics of references) seem to require quite different 
handling in a higher-order abstract syntax setting (using e.g. linearity [Cervesato 
and Pfenning 2002]) than is typically done on paper. 

Another drawback of the higher-order approach is that "elegant" encodings work 
well only when the inherent properties of the mcta-language concepts are shared 
by the object language. In particular, if the metalanguage's context is used for 
the context(s) of the object language, then the latter inherits the properties of 
the former, such as weakening and contraction. This is, of course, no problem for 
the many programmming or logical calculi that have straightforward binding and 
context structure which fits the higher-order setting perfectly. 

However, many interesting systems have unusual contexts or binding behavior, 
especially substructural type systems [Girard 1987; O'Hearn and Pym 1999] and 
Floyd-Hoare-style logics of imperative programs [Mason 1987; Harel et al. 2000; 
Reynolds 2002]. These languages seem disproportionately difficult to program and 
reason about in pure higher-order logic (or LP). Of course, such programs can still 
be written as higher-order logic programs, in the worst case by foregoing the use of 
higher-order abstract syntax. This can result in nondeclarative (and nonintuitivc) 
programs which are not as convenient for experimentation or reasoning as one might 
like. 
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One remedy is to extend the meta-language with new features that make it 
possible to encode larger classes of object languages elegantly. Examples include 
linearity (Linear LF [Cervesato and Pfenning 2002]) and monadic encapsulation 
of effects (Concurrent LF [Watkins et al. 2003]). In contrast, in aProlog, many 
examples of substructural and concurrency calculi can be implemented without 
recourse to logical features beyond nominal logic, but also of course without the 
level of elegance and convenience offered by Linear or Concurrent LF. However, the 
convenience of such extensions must be balanced against the effort needed to adapt 
the metathcory and implementations to support them. 

6.1.2 Logic programming with higher-order patterns. L\ is a restricted form of 
higher-order logic programming introduced by Miller [1991]. In L\, occurrences 
of meta-variables in unification problems are required to obey the higher-order 
pattern constraint: namely, each such meta- variable may only occur as the head of 
an application to a sequence of distinct hound variables. For example, Xx.F a; is a 
pattern but Xx.F x x and Xx.x {FX) are not. The higher-order pattern restriction 
guarantees that most general unifiers exist, and that unification is decidable. 

However, built-in capture-avoiding substitution for arbitrary terms is not avail- 
able in L\. In full AProlog, the beta-reduction predicate can be encoded as 

beta (app (lam (x\M x)) N) (M N) . 

but this is not a higher-order pattern because of the subtcrm M N. Instead, substi- 
tution must be programmed explicitly in L\, though this is not difficult: 

beta (app (lam (x\E x)) E') E" :- subst (x\E x) E' E" . 
subst (x\x) E E. 

subst (x\app (El x) (E2 x)) E (app El' E2') 

:- subst El E El', subst E2 E E2'. 
subst (x\lam y\El x y) E (lam y\El' y) 

:- pi y\ (subst (x\y) E y -> subst (x\El x y) E (El' y)). 

This definition involves only higher-order patterns. In L\, the only substitutions 
permitted are those of the form Miller calls Pq: 

[Xx.M) y = M[y/x] 

that is, in which a bound variable is replaced with another bound variable. 

There are several interesting parallels between L\ and aProlog (and nominal 
unification and L\ unification [Urban et al. 2004]). The name-restricted fragment 
of nominal logic programming which underlies the current aProlog implementation 
seems closely related to L\. It seems possible to translate many programs directly 
from one formalism to the other, for example, by replacing local hypotheses with 
an explicit context. The proof-theoretic semantics in this paper may be useful for 
further investigating this relationship. 

Miller and Tin have investigated logics called FOX^^ and LC^ which include a 
novel quantifier V that quantifies over "generic" objects [Miller and Tin 2005; Tiu 
2007]. Miller and Tiu argue that V provides the right logical behavior to encode 
"fresh name" constraints such as arise in encoding (bi)similarity in the 7r-calculus. 
As ffi'st observed by Miller and Tiu [2005], the V-quantifier has some, but not 
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all properties in common with 1/1; this relationship has been explored further by 
several authors [Gabbay and Cheney 2004; Cheney 2005d; Schopp 2007; Tiu 2007]. 
However, FOX^'^ has primarily been employed as a foundation for encoding and 
reasoning about languages, not as the basis of a logic programming language per 
se. 

6.1.3 Qu-Prolog. Qu-Prolog [Staples ct al. 1989; Cheng ct al. 1991; Nickolas 
and Robinson 1996] is a logic programming language with built-in support for 
object languages with variables, binding, and capture-avoiding substitution. It 
extends Prolog's (untyped) term language with constant symbols denoting object- 
level variables and a built-in simultaneous capture-avoiding substitution operation 
t{ti/xi, . . . , tn/xn}- Also, a binary predicate x not_freeJn t is used to assert that 
an object- variable x does not appear in a term t. Certain identifiers can be declared 
as binders or quantifiers; for example, lambda could be so declared, in which case 
the term lambda x t is interpreted as binding x in t. Unlike in higher-order abstract 
syntax, quantifier symbols are not necessarily A-abstractions, so Qu-Prolog is not 
simply a limited form of higher-order logic programming. Qu-Prolog does not 
provide direct support for name-generation; instead name-generation is dealt with 
by the implementation during execution as in higher-order abstract syntax. 

Qu-Prolog is based on a classical theory of names and binding described in terms 
of substitution. Like higher-order unification, Qu-Prolog's unification problem is 
undccidable, but in practice a semidccision procedure based on delaying "hard" 
subproblems seems to work well [Nickolas and Robinson 1996]. 

Qu-Prolog enjoys a mature implementation including a compiler for Qu-Prolog 
written in Qu-Prolog. Many interesting programs have be written in Qu-Prolog, in- 
cluding interactive theorem provers, client/server and database applications [Clark 
et al. 2001]. Relations such as A-term typability can be programmed essentially 
the same as in aProlog. As with higher-order abstract syntax, Qu-Prolog's built-in 
substitution operation is extremely convenient. 

Formal investigations of Qu-Prolog have been limited to the operational seman- 
tics and unification algorithm. There is no denotational or proof-theoretic semantics 
explaining the behavior of names and binding in Qu-Prolog. Qu-Prolog is untyped 
and there is no distinction between names and ordinary Prolog constants. There 
is no analogue of the l/l-quantifier or the equivariance or freshness principles. It 
may be possible to define a clearer denotational semantics for Qu-Prolog programs 
in terms of nominal logic. This could be useful for relating the expressiveness of 
aProlog and Qu-Prolog. Conversely, it may be interesting to add a Qu-Prolog-like 
built-in substitution operation (and associated unification techniques) to aProlog. 

6.1.4 Logic programming with binding algebras. Fiore et al. [1999] and Hofmann 
[1999] introduced binding algebras and techniques for reasoning about abstract syn- 
tax with binding using functor categories. Hamana [2001] developed a unification 
algorithm and logic programming language for programming with binding algebra 
terms involving name-abstraction [a\t, name-application t@a, name occurrences 
var(a), injective rcnamings ^ = [xi :~ yi,X2 y2,...], and first-order function 
symbols and constants. 

Hamana's unification algorithm unifies up to /3o-equivalcncc of bound names with 
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respect to name-application. Hamana employs a type system that assigns each term 
a type and a set of names that may appear free in the term. Hamana's unification 
algorithm appears to generalize higher-order pattern unification; since names in 
application sequences do not have to be distinct, however, most general unifiers do 
not exist; for example [x]F@x@x w' [y]G@y has two unifiers. F = and 
F = [x][y]x. 

Many of the example programs of Section 2 can also be programmed using 
Hamana's programming language. For example, capture-avoiding substitution is 
given as an example by Hamana [2001]. However, because binding algebras are 
based on arbitrary renamings, rather than injective renamings, it may be difficult 
to write programs such as aneq or step that rely on distinguishing or generating 
names. In addition, since the names free in a term must appear in the term's type, 
some programs may require more involved type annotations or may be ruled out 
by the type system. 

6.2 Functional programming with names and binding 

6.2.1 ML\. Miller [1990] also proposed a functional language extending Stan- 
dard ML to include an intensional function type t ^ t' populated by "functions 
that can be analyzed at run-time", that is, higher-order patterns. This language 
is called ML\ and supports functional programming with A-term abstract syn- 
tax using the intensional function type. Since higher-order pattern unification and 
matching are decidable, programs in ML\ can examine the structure of intensional 
function values, in contrast to ordinary function values which cannot be examined, 
only applied to data. Miller [1990] 's original proposal left many issues open for 
future consideration; Pasalic ct al. [2000] developed an operational semantics and 
prototype implementation of a language called DALI, which was inspired by MLx. 

6.2.2 FreshML. FreshML [Pitts and Gabbay 2000; ShinwcU et al. 2003; Shinwell 
and Pitts 2005; Pitts and ShinwcU 2007; Potticr 2007] is a variant of ML (or 
Objective Caml) that provides built-in primitives for names and binding based 
on nominal abstract syntax. FreshML was an important source of inspiration for 
aProlog. At present FreshML and aProlog provide similar facilities for dealing with 
nominal abstract syntax. Arguably, because of the similarities between higher-order 
patterns and nominal terms [Urban et al. 2004; Cheney 2005b], FreshML can be 
viewed as an alternative realization of MLx. 

The main differences are 

— FreshML's treatment of name-generation uses side-effects, whereas aProlog uses 
nondeterminism. 

— There are no ground names in FreshML programs; instead, names are always 
manipulated via variables. 

— FreshML currently provides more advanced forms of name-binding (such as bind- 
ing a list of names simultaneously). 

— FreshML provides richer higher-order programming features. 

Conversely, there are many programs that can be written cleanly in aProlog's 
logical paradigm but not so cleanly in FreshML's functional paradigm, such as 
typechecking relations and nondctcrministic transition systems. 
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6.2.3 Delphin. Another language which draws upon ML\ is Delphin. Delphin 
is a functional language for programming with higher-order abstract syntax and 
dependent types [Schiirmann et al. 2005]. Because ordinary recursion principles 
do not work for many higher-order encodings [Hofmann 1999], Delphin provides 
novel features for writing such programs (based on earlier work in the context 
of Twelf [Schiirmann 2001b; 2001a]). This approach seems very powerful, but also 
potentially more complex than nominal techniques. For example, Delphin programs 
may be nondeterministic and produce non-ground answers, because the underlying 
higher-order matching problems needed for pattern matching may lack most general 
unifiers. At present a prototype called Elphin that supports the simply-typed case 
has been implemented. 

6.2.4 Caml. Pottier [2005] has developed a tool for OCaml called Caml. Caml 
translates high-level, OCaml-like specifications of the binding structure of a lan- 
guage to ordinary OCaml type declarations and code for performing pattern match- 
ing and fold- like traversals of syntax trees. Caml uses a swapping-based nominal 
abstract syntax technique internally, but these details typically do not need to be 
visible to the library user. Like FreshML, Caml provides forms of binding be- 
yond binding a single variable; for example, its binding specifications can describe 
pattern-matching and letrec constructs. 

6.2.5 FreshLib. Cheney [2005c] developed FreshLib, a library for Haskell that 
employs advanced generic programming techniques to provide nominal abstract syn- 
tax for Haskell programs. FreshLib provides common operations such as capture- 
avoiding substitution and free- variables functions as generic operations. FreshLib 
also provides a richer family of binding structures, as well as a type class-based in- 
terface which permits users to define their own binding structures (such as pattern 
matching binders). Since Haskell is purely functional, FreshLib code that performs 
fresh name generation has to be encapsulated in a monad. 

7. CONCLUSIONS 

Declarative programming derives much of its power from the fact that programs 
have a clear mathematical meaning. Name-binding and name-generation are one 
of many phenomena which seem to motivate abandoning declarativity in favor of 
expediency in practical Prolog programming. On the other hand, although high- 
level programming with names and binding based on higher-order abstract syntax 
is compelling for many applications, sometimes its high level of abstraction is an 
obstacle to directly formalizing an informal system. As a result both first-order 
and higher-order logic programs sometimes depart from the declarative ideal when 
we wish to program with names and binding. 

This paper investigates logic programming based on nominal logic. Nominal logic 
programs can be used to define a wide variety of computations involving names, 
binding, and name generation declarativcly. It provides many of the benefits of 
higher-order abstract syntax, particularly built-in handling of renaming and a- 
equivalence, while still providing lower-level access to names as ordinary data that 
can be generated and compared. As a result, nominal logic programs arc frequently 
direct transcriptions of what one would write "on paper" . On the other hand, 
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although nominal abstract syntax possesses advantages not shared by any other 
technique, it docs not currently provide all of the advantages of all previously 
explored techniques — the most notable example being the support for capture- 
avoiding substitution provided by higher-order abstract syntax. 

In this paper we have presented a variety of examples of nominal logic programs, 
thoroughly investigated the semantics of nominal logic programming, and presented 
some applications of the semantics. This work provides a foundation for future in- 
vestigations, such as developing practical techniques for nominal constraint solving, 
investigating extensions such as negation, adding nominal abstract syntax as "just 
another constraint domain" to existing, mature CLP implementations, and analyz- 
ing or proving metatheoretic properties of core languages or logics defined using 
nominal logic programs. 
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A. PROOFS FROM SECTION 4.1 

Theorem 4.1. A collection of program clauses is satisfiable in nominal logic if 
and only if it has a Herbrand model. 

Proof. We note without proof that we can prenex-normalize aU 3 and 1/1 quan- 
tifiers in goals in D-formulas out to the top level as V and 1/1 quantifiers respectively. 
Then a collection of normalized D-formulas is a 1/lV-theory in the sense of [Cheney 
2006a, Theorem 6.17], so has a model iff it has a Herbrand model. □ 

Lemma 4.2. Let A be a program and A4 a nonempty set of Herbrand models of 
A. Then Ti. = f]M is also a Herbrand model of A. 

Proof. We first note that the intersection of a collection of equivariant sets is 
still equivariant, so 7i is a Herbrand model. To prove it models A, we show by 
mutual induction that 

(1) For any program clause D, if VM e M.M \= D then n\= D; and 

(2) For any goal formula G, if H N G then Vi\/ e MM \= G. 

All the cases are standard except for 1/la.G and l/la.D. If VM g M.M N l/ia.!? then 
for each M, M N (b a) - D for aU b not in supp(l/la.D). Choose a b supp(l/la.£)) 
such that VA/ G M.M 1= (b a) • D. Appealing to the induction hypothesis, we 
obtain 7i N (b a) • £). By Lemma 3.1, it follows that Ti \= 1/la.D. The case for 1/la.G 
is similar (but simpler). □ 

Theorem 4.3. Let A be a program. Then Ha = {A e Be \ A^ A}. 

Proof. If A G Ha, then A is valid in every Herbrand model of A, so by Theo- 
rem 4.1, A is valid in every model of A. Conversely, if A N ^ then since Ha ^ A 
we have Ha ^ A; thus A G Ha- □ 

Theorem 4.5. Suppose T : V{Bc) 'P{Bc) is equivariant and monotone. 
Then Ifp(r) = niS* G V{Bc) \ T{S) C 5} is the least fixed point of T and is 
equivariant. If, in addition, T is continuous, then Ifp(T) = T^ ~ UiLo-^'('^)- 

Proof. By the Knaster-Tarski fixed-point theorem, Ifp(r) is the least fixed point 
of T. To show that Ifp(T) is equivariant, it suffices to show that A G Ifp(T) =J> 
(a b) • A G Ifp(r). Let a, h be given and assume A G Ifp(r). Then for any pre-fixed 
point 5 of T (satisfying T{S) C 5), we have A & S. Let such an S be given. Note 
that T((a h) ■ S) = (a b) • T{S) C (a b) • S, so (a b) • 5 is also a pre-fixed point of 
T. Hence ^ G (a 6) • S* so (a 5) • A G (a 6) • (a 6) • S* = S*. Since S was an arbitrary 
pre-fixed point, it follows that (a b) ■ A G Ifp(T), as desired. 

The second part follows immediately from Kleene's fixed point theorem. □ 

Lemma 4.8. For any program A, Ta is monotone and continuous. 

Proof. We prove by induction on the structure of D that To has the above 
properties. Monotonicity is straightforward. For continuity, let Sq,Si, . . . , be an 
w-chain of subsets of Be. The cases for T, A, V, and atomic formulas follow 
standard arguments. For 1/1, 

—Suppose D = G ^ D'. Suppose that A G TG^D'{[^,S^). If [j.^S^ N G then 
A e Td' i\J^ S;), and by induction A G U,Td'(5,) = \J^TG^D'iS^). Otherwise, 
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A e[j^S^ = [j^TG^D'{S,). This showS that TG^D'{{J^S^) C \J^TG^D' {S^) . 

For the reverse direction, suppose A G lJi^G^r>'('S'i)- Then for some i, A e 
TG^D'{S^). There are two cases. If N G, then A e Td'{S^) = TG^D'{S^) C 
Tg^d'{\J,{S,)). Otherwise, A & = Tc^D'tS,) C TG^D'i\J,iSr)). 
— Suppose D = \Aa.D' . Then we have 

Tma.D'iUiSi) = \Jh■.^.^supp{\AB.D')^^h)■D'i[j^S^) Definition 

= Ub:^0supp(Ma.D') U« ^(a b)■D'{S^) Induction hyp. 

= U Ub:^^supp(Ma.D') ^(^ b)■D'{S^) Unions commutc 

= {JiTi/\a.D'{Si) Definition 

This completes the proof. □ 

Lemma 4.9. For any a, b e A, (a b) • To (5) = T(a b) _D((a b)-S'). In particular, 
if A. is a closed program with FV{A) — supp(A) = 0, then Ta is equivariant. 

Proof. The proof is by induction on the structure of D. The cases for T, A, A 
are straightforward; for we need the easy observation that 5 N G <^==> (a b)-S' 1= 
(a b)-G. For \/X:a.D formulas, observe that 

(a h)-T^x.DiS) = (a b)- Definition 

^ Ut cr(a b) • T]j[fjx]iS) Swapping commutes with union 

= Ut:CT^((a b).n)[(a b)-t/x]{{3 b)-S') Induction hyp. 

= Uu:a^((a b)-_D)[«/x]((a b)-5) Change of variables {u = (a b) • t) 

= T(a b).vx.D((a b)-S) Definition. 

For 1/1, the argument is similar. □ 

Lemma 4.10. If M is a fixed point ofT^, then 1= A. 

Proof. We first prove by induction on the structure of D that if Td{M) = M 
then M\= D. 

—If D = T, trivially M\=T. 

—If D = A, then clearly MU{A}^ Ta{M) = M implies A e M so M \= A. 
— If D = D1AD2, thcnTo^AD^iM) = T^, (X) UT^, (X) = M implies To AM) = 
(M) = M since T/j^ , Tjj^ are monotone. Then using the induction hypothesis 
Di and D2, so X N Di A D2. 
—If D = G=> D', suppose that M\=G. Then Tg^d'{M) ^ Td'{M) = 7W so by 

induction M ^ D' . Hence M \= G ^ D' . 
—For D = MX-.a.D', note that M = Tyx.D'{M) = \Jt:aTD'[t/x]{M) implies 
TD'[t/x]{M.) — M for every t : a. Hence by the induction hypothesis M N 
D'[t/X] for every t : cr; consequently M \= \/X.D'. 

-For = note that = r^a.i3'(X) = Ub:,v0supp(^a.i?') b).D'(-M) 

implies T(g b) r>'(-^) = for every fresh b. Hence by the induction hypothesis 
N (a b) • D' for every fresh b; consequently M \= l/la.Z)'. 

Since any program A = {-Di, . • . , -Dn} is equivalent to a Z?- formula conjunction 
D = Di /\ ■ ■ ■ A Dn, the desired result follows immediately. □ 

Lemma 4.11. If M\= A then M is a fixed point ofT^- 
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Proof. Since Ta is monotone it suffices to show that is a pre-fixed point. 
We first prove that for any D, ii Ai \= D then Td(A^) C A1, by induction on the 
structure of D. 

—If D = T, clearly TtIX) = M. 

—If D = A then since N A, we must have A € so TAiM) ^ MU {A} = M. 

—UD = D1AD2, thenToiAD2(-M) = TdAM)UTdAM) C M since Tj^. C M 
by induction for i = 1,2. 

— For D = G ^ D' , since by assumption Ai \= G ^ D, there are two cases. If 
M\= G, then 7W N Z3, and by induction Tc^oiM) = Td{M) C M. On the 
other hand, if ^ G, then Tc^oiM) = 7W. 

— For D = MX-.G.D' , by assumption M N 'iX:a.D' so we must have Al 1= -D[t/-'^] for 
aU t:a. By induction Td/^^/jc] (A^) C A4 for any t : a so IJ^.^ C Al. 

— If D ~ V\a:u.D', by assumption M N l/laiz^.Z?' so A^ N (a b) • D' for any 
b ^ supp(l/la.L»'). By induction Tj^ b) D'{M) C A! for any b ^ supp(l/la.i:)') 

so Ub:,.^™pp(^a.I5') ^(a b).D'(A^) ^ A( . 

To prove the lemma, take A = . . . , and D = Di A ■ ■ ■ A Dn- If At N A, 
then Al N D, so Td{M) C M, whence Ta(A4) CM. U 

B. PROOFS FROM SECTION 4.2 
Theorem 4.15. 

(i) // [E] A; V =^ G derivable then [E] A, V N G. 
(^) // [E] A; V ^ G is derivable then [S] A, D, V t= G. 

Proof. Induction on derivations. The only novel cases involve 1/1. 
— Suppose we have derivation 

[E] V N G 
[E] A;V=^G ^"" 

Then [E] V N G imphes [E] A, V N G as desired. 
— Suppose we have derivation 

[E] A; V =^ Gi [E] A; V =^ G2 
[E] A; V ^ Gi A G2 

By induction, [E] A, V N Gi and [E] A, V N G2, so clearly [E] A, V ^ Gi A G2. 
— Suppose we have derivation 

[S]A;V=^G. 
[E] A; V =^ Gi V G2 ' 

By induction, [E] A, V N G^ so [E] A, V N Gi V G2. 
— Suppose we have derivation 

[E]VN3XG [E,X] A;V,G=^G 
[E] A; V ^ 3X:a.G 
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By induction, [E, X] A, V, C N G. Appealing to Lemma 3.4. we have [S] A, V N 
3X.C. 

-Suppose we have derivation 

[S]VNI/la.C [S#a] A; V, C =^ G 
[S] A; V =^ Ma.G 

By induction we have that S^aA, V, CG. Appeahng to Lemma 3.5, we conclude 
[S] A,V N Ma.G. 
-Suppose we have derivation 

[S]A;V^A p£A) 
[E] A; V =^ A 

Then by induction hypothesis (2), we have that [E] A, Z?, V ^ A. Since _D G A, 
clearly [E] A N D so we can deduce [E] A, V N A. 

For the second part, proof is by induction on the derivation of [E] A; V ^ G. 
-Suppose we have derivation 

[E] V N A' ~ A 

hyp 

[E] A; V ^ A 

We need to show [E] A, A' , V N A. To see this, suppose satisfies V and 7i is a 
Herbrand model of A, 0{A'). Since [E] V 1= A' ~ A, there must be a permutation 
TT such that 7r-0(A') = 9{A). Moreover, since TL N 0{A'). by the equivariance of 
Ti. we also have Ti \= ti-6{A') so 7i 1= 9{A). Since 6 and 7-^ were arbitrary, we 
conclude that [E] A, A', V N A. 
-Suppose we have derivation 

[E] A; V ^ A 



[E] A; V ^^i^ ^ 



By induction, we know that [E] A, Di, V N A, so can conclude [E] A, D1AD2, V N 
A by Lemma 3.6. 
-Suppose we have derivation 

[E] A; V ^ A [E] A; V =^ G 



[E] A; V A 

Then by induction, we have that [E] A,D,V \= A and [E] A, V 1= G. Then we 
can conclude [E] A, G D, V 1= A using Lemma 3.7. 
— Suppose we have derivation 

[E] V ^ 3X.C [E, X] A;V,C ^ A 
[E] A;V A 

Then by induction, we have that [E,X] A,!?, V,G N A. We want to conclude 
that [E] A, VX.D, V \= A. Suppose [E] 6* N V. Since [E] V N 3X.G, we have that 
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[E] e t= 3X.C. Thus, there exists a t such that [Y.,X] e[X ^t]^ C. Therefore, 
[E, X] A, £), ^ t]\= A. Since X appears only in D, by Lemma 3.8, we have 
that [E] A,\/X.D,9 N A. Since was an arbitrary valuation satisfying V, it 
follows that [E] AyX.D, V N A. 
— Suppose we have derivation 

[E]V^I/la.C [E#a] A; V, C A 
[E] A;W^A 

By induction, we know that [E#a] A, D, V, C N A. Since [E] V N l/la.C it follows 
that [E#a] A,D,\7,C N A, so by Lemma 3.3 we have [E#a] A,D,\7 \= A. 
Moreover, by Lemma 3.9, we can conclude [E] A, I/la. D, V N A. 

This completes the proof. □ 

Proposition 4.16. For any T,,A,G,D,i > 0: 

(1) If [E] T^, 61 N G then there exists V such that [E] 61 1= V and [E] A; V =^ G is 
derivable. 

{2) //[E] Te(D){TX), 0^ Abut [E] Ti^,e\/ A then there exists V such that [E] 61 1= V 
and [E] A; V ^ ^. 

Proof. For the first part, proof is by induction on i and G; most cases are 
straightforward. 

—If G = T then trivially [E] A; • ==^ T. 

— If G = G, a constraint, then [E] T^, 6' N G. By definition, this means that N 0(C) 
holds; equivalently, [E] 6* N G. Thus, taking V = G, we obviously have 

— con 

[E] A; G =^ G 

— If G ~ A and i = 0, this case is vacuous since no atomic formulas are satisfied in 
the empty model T^. 

— If G ~ A and i > 0, then there are two further cases. If [E] T^^,9 N A then 
wc use part (1) of the induction hypothesis with i — 1 to conclude [E] A; V =^ A. 
Otherwise [E] T}^\9 \/ A. This implies that 0{A) £ TAiT^^) = {joeA Td{Ta^)., 
so we must have 0{A) G Td{T^^) for some D G A. Since D G A is closed, we 
have D = 0{D), so [E] Tg(^D)iT'A^),0 ^ A but [E] \f A. Induction hypoth- 
esis (2) applies and we can obtain a derivation of [E] A; V A. The following 
derivation completes this case: 

[E]A;V^A (Z?eA) 

■ set 



[E] A; V =^ ^ 

-If G = Gi A G2, then [E] T^, 61 N Gi A G2 implies [E] Tj,, 6* 1= Gi and [E] T^, N 
G2, so by induction for some Vi,V2, we have [E] A; Vi =► Gi, [E] N Vi, 
[E] A; V =^ G2, and [E] 6* N V2. We can therefore conclude 

[E] A; Vi A V2 =^ Gi [E] A; Vi A V2 =^ G2 



[E] A; Vi A V2 =i> Gi A G2 

ACM Journal Name, Vol. V, No. N, Month 20YY. 



52 • J. Cheney and C. Urban 



since clearly [E] 6* N Vi A V2. 
—If G = Gi V G2, then [E] T^J N Gi V G2 implies [E] T^, 6I N G, for i e {1, 2}. 
In either case, by induction [E] A; V G^ and [E] 6* N V hold for some V, so 
we deduce 

[E] A;V=»G, 
[E] A; V ^ Gi V G2 . 

—If G ^3X:a.G', then [E] Ti,e\== 3X:a.G' implies [E, X:a] T}^,e[X ^ t] \= G' for 
some t : a. By induction, then, there exists V such that [E,X:ct] A; V ==> G' is 
derivable and [S, X] 9[X 1-^ t] \^ V . We can therefore derive 

[E] 3X.V N 3X.V [E, X:ct] A; 3X.V, V =^ G' 
[E] A;3XV => 3X:o.G' 

using weakening to obtain the second subderivation. Clearly [E, X] i-^ t] 1= V 
impUes [E] 61 N 3X.V. 
—If G = Ha:j/.G', assume without loss of generality a ^ E. Then [E] T^, 6* N l/la.G' 
implies [E#a] T^, 6* N G'. By induction, there exists V such that [E#a] A; V ^ 
G' is derivable and [E^^a] 6* 1= V. We can therefore derive 

[E] I/la. V N I/la. V [E, X:cr] A; l/la.V, V =^ G' 
[E] A; Ma.V =^ Ha.G' 

using weakening to obtain the second subderivation. Clearly, [E^^a] d'^V implies 
[E] 9 N Ma.V 

Similarly, the second part follows by induction on _D, unwinding the definition of 
Td in each case. 

—If 15 = 7, then = T and T^{S) = S*; we cannot have both [E] T\,e A 

and [E] T^, Q\f A^o this case is vacuous. 

—If D = A', then Ts(^a'){S) = 5* U {6'(A')}. Thus, if [E] U {6'(A')},6' N A but 
[E] T^, A, then we must have Q{A) = e{A!). This clearly impHes [E] 6* N A « 
so taking V = A « A', clearly [E] V 1= A ~ y4' and we can derive 

[E] A « A' N A - A' 

[E] A; y4 « A' ^ A . 

-If D = D^K D2, then = A ^^2), and Tg^D,)^e^D.)iS) = Te(B^)(^) U 

T,(c,)(5), and [E] Te(^D,){TX)UTg^D,){Tk),0 ^ A. Then we must have [E] re(D,.)(TA), h 
A for _7 G {1, 2}. In either case, by induction there exists V such that [E] N V 

and [S] A; V — ^ A, so we can conclude 

[E] A; V ^ A 
[S] A; V A 

—If D = G ^ £»', then 6'(L>) = 9{G) e{D'). There are two cases. If 
[E] TA,0 N G, then Te(G)^e(D') (^1) = Te(,3,)(TA) so [E] Te^D'){TX),0 ^ A. By 
induction hypothesis (1), it follows that there exists a V such that [E] A; V =^ G 
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and [S] 6* N V; by induction hypothesis (2) there also exists a V' such that 
[S] A; V A and [S] 6* N V'. Using weakening and the =>i rule, we conclude 

[I]]A;V,V'=^G [I]]A;V,V'^A 



[S] A;V,V' A 
which suffices since [S] 6* N V, V. 

Otherwise, if [E] Tj^,e ^ G, then re(G)^e(j)/)(T^) = T^. Then this case is 
vacuous since we cannot have both [E] T^, 6' 1= A and [S] T^, 61 1/ A. 
— If D — yX:(T.D' , assume without loss of generality that X ^ Dom{Ti) U Dom{0). 
Observe that e{D) = \/X:cj.e{D'). Since Tyx:..e(D'){S) = \Jt.,^Tg(^D')[t/x]{S), 
we must have [E] Uicr '^e(_D')[t/^] (^a)i ^ ^ ^- Hence, there must be a i : cr 
such that 9{A) e T5)(£)/)[j/x](T'^); choose a particular t : a. Consequently, 
[E] Tg(^iyi^^f/x]{T^),0 N A. Moreover, since X is not present in I],A,6, this 
is equivalent to [S, X] Te[xi->t](_D') C^a)' i-^ t] \= A. By induction, there must 

exist a V such that [E, X] e,[X ^ t]\=\7 and [E, X] A; V ^ A holds. Hence, 
[E] 9 1= EIX.V so we can conclude by deriving 

[E]3X.VN3XV [S,X:cr] A;3X.V, V ^ A 

[E] A; 3XV ^^^^ A 

— If D = V\dt:v.D' , assume without loss of generality that a ^ E, 6', A. Then 9{D) = 
l/la.fiip') and since Tv\a,e[D'){S) = Ub^supp(Ha.e(D')) ^(^ bye{D'){S), so we must 
have [E] Ub^supp(^a.e(Li')) ^(^ b)-eiD'){T}^),9 \= A. By definition, this means that 
^i^) e Ub^supp(i/ia.e(D')) b)-e(D')(^A)- Since by assumption a E,6l,A and 
a ^ supp(l/la.D'), we must have 9{A) e Tj^ a) e(D')(^A)- Note that (a a) • 9{D') = 
9{D'), and 9 : E#a, hence [E#a] Te(£,,)(T^), 6* N A. Consequently, by induction, 

there exists a V such that [E] 6' 1= V and [E#a] A; V A. Therefore, we have 

[E] I/la. V N I/la. V [E#a] A; l/la.V, V ^ A 
[E] A; l/la.V A 

Moreover, clearly [E#a] 6* 1= V implies [E] 9 \= l/la.V. 
This exhausts all cases and completes the proof. □ 
Theorem 4.20. 

(1) //[E] A =^ G \ G then [E] A; G =^ G. 

(2) If [E] A; V =^ G anrf [E] A ^ A \ G then [E] A; V ^ A. 
Proof. Both parts are by structural induction on derivations. 

— If the derivation is of the form 



[E] A =^ G \ G 
then deriving [E] A; G =^ G is immediate. 
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-For derivation 

[E] A =^ Gi \ Ci [S] A =^ G2 \ C2 



AR 



[E] A =^ Gi A G2 \ Gi A G2 

by induction we have [E] A;Gi => Gi and [S] A;G2 =^ G2. Weakening both 
sides, we have [E] A; Gi A G2 =^ Gi and [E] A; Gi A G2 => G2, so can derive 

[E] A; Gi A G2 =^ Gi [E] A; Gi A G2 =^ G2 
[E] A; Gi A G2 ^ Gi A G2 

-For derivation 

[E]A=^G.\g 
[E] A =^ Gi V G2 \ G ' 

by induction we have [E] A; G =5> Gi, so can derive 

[E] A;C^Gi 
[E] A; G =^ Gi V G2 

-For derivation 

[E, X] A =^ G \ G 



3R 



[E] A 3X:a.G \ 3X.C 

by induction, we have [E,X] A; G => G. Weakening this derivation, we obtain 

[E]3XGN3X.G [E,X] A;3X.G,G =^ G 
[E] A; 3X.C =^ 3X.G 

-For derivation 

[E#a] A ^ G \ G 
[E] A=^ l/la.G \ l/la.G 

by induction, we have [E#a] A; G =^ G. Weakening this derivation, we obtain 

[E] I/la. G t= I/la. G [E#a] A; Ma.G, G =^ G 
[E] A; Ma.G =^ Ha.G 

-For derivation 

[E] A .4 \ G [E] A =^ G \ G (13 G A) 

[E] A =^ A \ G ^""'^ 

by induction on the second derivation, we know that [E] A; G => G holds. By 

induction hypothesis (2) on the first subderivation, it follows that [E] A; G ^ A 
holds. Hence, since D G A, we can conclude 

[E]A;G^A (13 e A) 



[E] A; G =^ ^ 

For part (2), we reason simultaneously by induction on the structure of the two 
derivations. 
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-For derivations 

8 

. hyp [nV^Ar^A' 

[E] A ^ yl \ A - A' [S] A; V =^ A - A' 

it follows that 

[S] V N A ~ A' 



[E] A; V ^ A 



-For derivations 



V 



\T]A^A\G 



[E] A A\Q [E] A; V ^ G 

by induction using we have [E] A; V ^ A so we can conclude 

[E] A; V A 
[E]A;V^^i^^ 

-For derivations 

[E] A A \ G2 [E] A; vW Gi [E] A; V=> G2 

[E] A A \ Gi A G2 [E] A; V =^ Gi A G2 

By the induction hypothesis applied to V and £2, we have [E] A; V A. Then 
we can conclude 

£1 

[E] A; V =^ Gi [E] A; V A 
[E] A; V A 

-For derivations 

V ^ 

[T,,X] A\G' ^^^^ [E]Vl=3X.G [E, X] A; V, G =^ G' 

[S] A ^^1^^ A \ 3X.G' [E] A; V =^ 3X.G' 

we can apply the induction hypothesis applied to subderivations 2?, £ to obtain 
[E, X] A; V, G ^ A; hence, we can conclude 

[E]VN3X.G [E,X]A;V,G^A 
[S] A; V A 

-For derivations 

V 

[E#a] A A \ G [E]VNI/la.G [E#a] A; V, G =^ G 



[qA^^A\Ha.G [E] A;V ^ l/la.G 
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by induction on I?, £ we can derive [S#a] A; V, C ^ A; hence we can conclude 

p]VNHa.C [S#a]A;V,C^A 
[S] A; V ^ A 
This exhausts all possible cases, so the proof is complete. □ 
Theorem 4.21. 

{1) If [E] A; V G then there exists a constraint C such that [E] A =^ G \ C 
and [S] V N C. 

{2) If [S] A; V ^ A t/ien t/iere exists goal G and constraint C such that [S] A 
A \ G and [S] A =^ G \ C and [E] V N G. 

Proof. Again, the proof is by structural induction on derivations. The main 
subtlety is the construction of G in each case. 

— Case con 

[E] V N G 



[S] A; V =^ G 
Then clearly, we immediately derive 



con 



AR 



[E] A =^ G \ G 

since [E] V N G. 
-Case AR 

[E] A; V =^ Gi [E] A; V =^ G2 
[E] A; V =^ Gi A G2 

By induction, we have Gi such that [E] A Gi \ Gi and [E] V N Gi; and G2 
such that [E] A G2 \ G2 and [E] V 1= G2. We can conclude that 

[E] A ^ Gi \ Gi [E] A =^ G2 \ G2 
[E] A ^ Gi A G2 \ Gi A G2 

observing that [E] V N Gi A G2 follows from [E] V N Gi and [E] V N G2. 
-Case Vi?i 

[E] A; V =^ G,, 
[E] A; V =^ Gi V G2 

By induction, we have G such that [E] A =^ G; \ G and [E] V N G; we can 
conclude by deriving 

[E] A ^ G, \ g 
[E] A =4> Gi V G2 \ G 

-Case 3R 

[E]VN3X.G [E,X] A;V,G=^G 



[E] A; V ^ 3X:a.G 
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By induction, we know that A =^ G \ C holds for some C" satisfying 

[S, X] V, C t= C". We may derive 

[S, X] A =^ G \ C 
[S] A =^ 3X.G \ 3X.C' 

To complete this case, we need to show that [S] V 1= 3X.C'. This follows by 
Lemma 3.4. 
-Case \AR 

[ElVNUa.C [S#al A; V, C =^ G 
[S]A;V=^Ma.G 

By induction, wc have [S#a] A G \ G' holds for some G' such that [S#a] V, G N 
G'. We may derive 

[5]#a] A =^ G \ G' 
[S] A =^ Wa.G \ l/la.G' 
Finally, to show that [E] V N l/Ia.G', we appeal to Lemma 3.5. 
-Case sel 

[E]A;V^A peA) 
[E] A; V =^ A 

By induction hypothesis (2), there exists G and G such that [E] A ^ A \ G, 
[E] A =^> G \ G and [E] V 1= G. Therefore, we can conclude by deriving 

[E] A ^ A \ G [E] A G \ G {D e A) 
[E] A =^ A \ G 
Now we consider the cases arising from part (2). 
-Case hyp 

[E] V N A - A' 



[E] A; V ^ A 
Then we take G = A A' = C and derive 



hyp 



A' 



[E] A ^ A \ A ~ A' [E] A =^ A - A' \ ^ ~ A' 

which suffices since [E] W \= A ^ A' . 
-Case ALi 

m A;\7^A 
[S] A; V ^ 

Then, by induction, we have G and G such that [E] A A \ G, [E] A 
G \ G, and [E] V N G. It suffices to replace the first derivation with 

[E] A ^ \ G 



[S] A A \ G 
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-Case 

[E] A;V [E] A; V =^ G 

[E] A; V A 

Then, by induction on the first subderivation, we have C" and G' such that 

[S] A ^ A \ G', [E] A =^ G' \ G', and [E] V N G'. By induction on the 
second subderivation, we have [E] A => G \ G and [E] V 1= G for some G. To 
conclude, we derive 

mA^A\G' [E] A =^ G \ G [E] A =^ G' \ G' 

[E] A A\GAG' [E] A =^ G A G' \ G A G' 

since [E] V N G A G' follows from [E] V N G and [E] V N G'. 
-Case VL 

[E] V t= 3X.C [E, X] A; V, G ^ A 
[E] A;V A 

By induction hypothesis (2) apphed to the second subderivation, there exist G' 

and G' such that [E, X] A ^ A \ G' and [E, X] A =^ G' \ G' and [E, X] V, G N 
G'. We may therefore derive 

[E,X] A ^ A \ G^ X] A =^ G' \ G' 



[S] A A \ 3X.G' [E] A =^ 3X.G' \ 3X.C' 

and conclude by observing that [E] V N 3X.C' follows from existing assumptions 
by Lemma 3.4. 
-Case \AL 

[E]VNMa.G [E#a]A;V,G^A 
[S] A; V A 

By induction, we can obtain a goal G and constraint C such that [E#a] A ^ 
A \ G' and [E#a] A =^ G' \ G' and [E#a] V, G N G'. Clearly, we may now 
derive 

[E#a] A ^ A \ G' p^gj A =^ G' \ G' 



\Aa.D 



[E] A A \ l/la.G' [E] A =4> l/la.G' \ Ma.G' 

To conclude, we need to verify that [E] V 1= 1/1 a. G'. This follows by Lemma 3.5. 
This exhausts all cases and completes the proof. □ 

C. PROOFS FROM SECTION 4.3 

Proposition 4.22. //E(r | V) — > E'(r' | V) and [E'] A =^ G' \ G' then 
there exist G such that 

(1) [E] A =^ G \ G and 
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{2) [E'] V',C' N V,(7. 

Proof. Assume [S'] A => G' \ G' is derivable. Proof is by case decomposition 
on the possible transition steps. 

— Case {B): If the backchaining rule is used, 

S(A,Go|V)^S(G',Go|V) 

where [S] A ^ A \ G' for some D e A, then we have S' S; G = A, Go; 
G' = G', Go; G' = G = G', Go; and V = V. We can extract a subderivation of 
[S] A =^ G' \ G' so for (1) we derive [S] A =^ A, Go \ G', Go using the back 
rule. Part (2) is trivial. 
— Case (G): If the constraint rule is used, we have 

S](G,G' I V) — > S(G' I V,G) 

where V, G is satisfiable. Then E' = S; V = V, G; G = G, G'; and G = G, G'. 
For (1), we can derive using rule con [S] A; G, G' G, G'; part (2) is trivial. 
— Case (T): If the operational rule for T is used, we have 

S(T,G' I V) — > S(G' I V) 

Then S' = E; V' = V; G = T, G'; for (1), [S] A =^ T, G' \ T, G' can be derived 
using TR, while part (2) is trivial. 
— Case (A): 

I](Gi AG2,G'o I V) ^S(Gi,G2,G'o I V) 

Then S = S'; V = V; G = Gi A G2, Go; G' = Gi, G2, Go; and G' = Gi, G2, C(). 
Set G = Gi A G2, Go- For (1), [S] A ^ Gi A G2, Go \ Gi A G2, Cb is derivable 
using AR; moreover, for (2), observe that [E] V, Gi, G2 1= V, Gi A G2. 
— Case (Vi): 

I](Gi V G2, Go I V) E(G„ Go I V) 

Then E = S'; V = V; G = Gi V G2, Go; G' = G,, Go; and C' G, Go; so set 
G = G'. For (1), [E] A =^ Gi V G2,Go \ G,Go follows using VR, while (2) is 
trivial. 

—Case (3): 

E(3X:ct.G,Go I V) — y^,X:a(G,Go I V) 

Then E' = E,X; V = V; G = 3X.G,Go; G' = G,Go; G' = G,C^o, so set 
C = 3X.G, Go. We can therefore derive [E] A =^ 3X.G, Go \ 3X.C, Go for part 
(1). For part (2), we observe that [E, X] V, G, Go N 3X.G, Co- 
— Case (1/1): Similar to the case for (3). 

E(Wa:i/.G,Go I V) — > E#a:j/(G,Go | V) 

Then E' = E#a; V = V, G = Ma.G,Go; G' = G,Go; G' = G,Go, so set 
G = Ha.G,Go. For part (1), derive [E] A => Ma.G,Go \ l/la.G,Go using \AR. 
For part (2), observe that [E#a] V,G, Go N l/la.G,Go. 

ACM Journal Name, Vol. V, No. N, Month 20YY. 



60 • J. Cheney and C. Urban 



This completes the proof. □ 

Theorem 4.23. if I](G | V) — >* I]'(0 | V) then there exists C such that 
[S'] V N V, C and [E] A=^G\C. 

Proof. Proof is by induction on the number of transition steps. If no steps are 
taken, then G is empty and V' = V, so taking C to be empty, the conclusion is 
trivial. Otherwise we have a step 

I](G I V) So(Go I Vo) S'(0 I V) . 

By induction, there exists Cq such that [S'] V' N Vq,Co and [Sq] A Go \ Cq. 
Using Proposition 4.22, we can construct C such that [S] A => G \ C and 
[So] Vo,Go 1= V,C. Moreover, using weakening and deduction, we can conclude 
that [E'] V N V, G. □ 

Proposition 4.24. For any nonempty G and satisfiable V, G, if we have deriva- 
tions 2? :: [E] A G \ G then for some S', V', and C' we have 

(1) E(G I V) ^ E'(G' I V), 

{2) V :: [E'] A =^ G' \ C' , where V' <* V 

(5) 3E[V] N 3S'[V'] 

Proof. Let G, G, V be given as above. Since G is nonempty, we must have 
G = G, Go and G = G, Go . Proof is by case decomposition of the derivation of 
[E] A =^ G \ G. 

— Suppose the derivation is of the form 



[S] A =^ G \ G 

thus, G = G, G' and G = G, G'. Then set E' = S; V = V, G. We can take the 
step E(G, Go I V) — > E(Go | V, G). For (2), we already have smaller derivations 
[E] A =4> Go \ Cb and for (3), observe that 3E[V, (G, Go)] N 3E[(V, G), Go]. 
-Case Ti?: If the derivation is of the form 

[E] A =^ T \ T 

then G = T, G' and G = T, G'. Setting E' = E, V = V, clearly E(T, G' | V) — > 
E(G' I V). For (2), we already have smaller derivations [E] A =^ G' \ G' and 
for (3), 3E[V,T,Go] N3E[V,Go]. 
-Case l\R: If the derivation is of the form 

[E] A Gi \ Gi [E] A G2 \ Ga 



[S] A =^ Gi A Ga \ Gi A G2 



Ai? 



Thus, G ~ Gi AjG'2,Go and G = Gi A G2,Go. Setting cr = E; V = V; G' 
Gi, G2, Go; and G = Gi, G2, Go, we can take the operational step E(Gi AG2, Go 
V) — > E(Gi, G2, Go I V). In addition, for (2) we have subderivations [E] A 

Gi,G2,Go \ Gi,G2,Go and for (3), 3E[V, Gi A G2, Go] N 3E[V, Gi, G2, Go], as 
desired. 
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-Case Vi?i: If the derivation is of the form 



[S] A =^ Gi V G2 \ C 



then G = Gi V G2 and G = G,Go. Setting S' S; V = V;G' = G.,,Go; and 
G' = G, Go; we can take the operational step S(Gi V G2 | V) — * ^{Gi \ V). 
Moreover, we have for part (2) immediate subderivations [S] A =^ Gi, Go \ G, Go 
and part (3) is triviaL 
-Case 3R: For a derivation of the form 

[E, X] A G \ G 



[S] A =^ 3X:cr.G \ 3X.C 



3R 



we have^G = 3XG,Go and G = 3X.G,Go. Setting E' = E,X; V' = V; G' = 
G, Go;G' = G, Go; we can take the operational step S(3X.G, Go | V) — > 
S,X(G, Go I V). Moreover, for part (2), from the given derivations we can 
obtain subderivations A =^ G, Go \ G, Go . For part (3), observe that 

3E[V, 3X.C, Go] N 3E, X[\7, C, Co] since X is not free in V, Go- 
-Case \AR: In this case, the derivation is of the form 

[S]#a] A =^ G \ G 



[S] A =^ Ha.G \ Ha.G 



1/1 i? 



G = l/la.G,Go and G = l/la.G,Go. Setting S' = I]#aj^V' = V; G' = G,Go;G^ = 
G, Go; we can take the operational step E(l/la.G, Go | V) — > Y.^a{G,Go \ 
V). In addition, for (2) we can obtain smaller subderivations of [S#a] A 
G, Go \ G, Go from the given derivations, and for (3) observe that 3E[V, l/la.G, Go] N 
3E#a[V, G, Go] since a is not free in V, Go. 
— Case back: For a derivation of the form 

[E] A ^ A \ G' [S] A =^ G' \ G {De A) 

[S] A =^ A \ G ^"^^ 

we have G = A,Go and G = G,Go. Set E = E'; G' = G',Go; G' = G,Go; 
V = V. Using the first subderivation, we can take a backchaining step E(A, Go 
V) — > E(G', Go I V). Moreover, for part (2), using the second subderivation we 
obtain a smaller derivation [E] A =^ G', Go \ G, Go, and part (3) is trivial. 

This completes the proof. □ 

Theorem 4.25. // [E] A =^ G \ G and V, G is satisfiable then for some E' 
and V, we have E(G | V) — >* E'(0 | V) and 3E[V,G] N 3E'[V']. 

Proof. The proof is by induction on the length of G and the sizes of the deriva- 
tions 25 of [E] A =J> G \ G. If G is empty, then we are done. Otherwise, using 
Proposition 4.24, there exist Eq, Go, Go, and Vo, such that 

V' 

E(G I V) Eo(Go I Vo) [Eo] A =^ G; \ Go 3E[V, G] N 3Eo[Vo, Go] 
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The derivations V are smaller than P, and the satisfiability of V, C implies that 
Vo,Co is also satisfiable, so the induction hypothesis applies. Accordingly, con- 
struct E', V' such that 

So(Go I Vo) S'(0 I V) 3E[Vo, Co] N 3S'[V'] 

Chaining the transitions and entailments, we conclude 

E(G I V) Eo(Go I Vo) ^* I]'(0 I V) 3I][V, C] ^ 3I]o[Vo, O,] ^ 3E'[V'] 

as desired. □ 

D. PROOFS FROM SECTION 5.3.2 

Lemma 5.14. Let A 6e a \A-goal program and n be a type-preserving permutation 
of names in S. 

(1) If [E] A; V G then [S] A; V tt-G. 

(2) If [S] A; V ^ then [S] A; V tt-vI. 
Proof. By induction on derivations. 

— For case con, we transform derivations as follows: 

[E] V N C [E] V N TT-C 



con 



[E] A; V C I — > [E] A; V tt-C 

since [E] V N C imphes [E] V N tt-C. 
-For case Ti?, we transform 

TR , ^ ^ Ti? 



[E]A;V=^~T I — > [E] A; V TT-T 
since tt-T = T. 

-For case AR, note that tt-{Gi A G2) = tt-Gi A ii-G2; so wc transform 

[E]A;V=^P.Gi [E]A;V=^«G2 [E] A; V tt-Gi [E] A; V tt-Gs 

[E] A; V Gi A G2 [E] A; V =^«; 7r.(Gi A G2) 

where by induction V, :: [E] A;V G^ 1 — > :: [E] A;V =^>~ tt-G, for 

i e {1,2}. 

-For case Vi?i (i £ {1, 2}), note that 7r-(Gi V G2) = tt-Gi V 7r-G2, so wc have 

P 2?' 

[E]A;V=^^G, [E] A;V=»^7r-G, 



[E] A; V Gi V G2 ^ [E] A; V ^-(Gi V G2) 

where by induction V :: [E] A; V =>~ G, 1 — > V :: [E] A; V =»~ tt-G, 
— For case 3i?, we have 

D 

[E]VN3X.G[X] [E,X] A; V,G[X] =^=^ G 
[E] A; V 3X.G 
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Note that TT-3X.G[X] = 3X.ii-G[k^'^-X]. By induction, 

V V 

[S, X] A; V, C[X] =>^ G i — > [S, X] A; V, C[X] t:-G[X] . 

Since tt is invertible, we can substitute Y ~ tt-X to obtain T>" :: [S, Y] A; V, C[7r^^-y] =^ai 
it-G[tt~^-Y]; moreover, clearly, [E] V N Eiy.C[7r^^-y], so we can conclude 

V" 

[E] V N 3y.C[7r-i-y] [E,y] A; V,C[7r-i-y] =^p, 7r-G[7r-i-r] 
[E] A; V Tr-3X.G . 

— For case \AR, we have derivation 

V V 
[S]VNMa.C [E#a] A;V,C=^« G [S] V N Ha.C [E#a] A; V, G =^«i tt-G 

[E] A; V Maii^.G ^ [E] A; V 7r.(Ma:j^.G) 

since Tr-\Aa:i/.G = l/lait/.Tr-G, (since, without loss, a ^ FA^(E) U supp(7r)). The 
derivation P' :: [E#a] A; V, C =>~ tt-G is obtained by induction. 

— For case sel, 

V V 

[E] A; V -^p. A {De A) [E] A; V tt-A (D G A) 

[E] A; V A ''''''' ^ [E] A; V n-A 

using induction hypothesis (2) to derive V from V, and the fact that tt-D = D 
(because D G A is closed). 

For part (2), all cases are straightforward; cases hyp and \AL are of interest. 

— Case hyp 

[E] V N A' « ^ [E] V N TT-A' « TT-A 

hyp hyp 



[E] A; V ^« A ^ [E] A; V n-A 



since [E] A' « A N tt-A' « tt-^. 
-Case ALi 



[S] A; V A [E] A; V ^-A 



[S] A; V A ^ [E] A; V I^'^l^^ ^.A 

since tt-{Di A D2) = tt-Di A tt-D2. The subderivations are constructed by induc- 
tion. 

-Case =>L 

[E] A; V ^ [E] A; V G [E] A; V ^-A [E] A; V tt-G 

[E] A;V^^A [E] A; V ^-'^^^^^ ^ ^-A 

where the subderivations are obtained by induction; this suffices because t:-{G => 
D) = -K-G => Ti-D. 
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-Case VL: Wc have 



[S] A; V A 



The argument is similar to that for 3R for part (1). By induction wc have 

A; V,C[X] '"'°'^') ~ TT-A. Substituting! 
TT-A. and [S] V N 3r.C[7r-i-y]. It foUows that 



A; V, C[X] '"'°'^') ~ TT-A. Substituting F = tt-X, wc have [S, Y] A; V, C[7r-i-y] 



[E] VN3y.C[7r-i.y] [S,y] A; v,c[7r-i.y] "'^'"^ '^^ ^ ^-A 

VL 

[S] A;V "•^^^"■''. ^ TT-A 

since n-yYia.D = yY.T:-D[n-^-Y]. 

— The case for I/IL is vacuous because no formulas \Aa.D can appear in a l/l-goal 
program. 

This completes the proof. □ 

Theorem 5.15. If A is V\-goal then 

{!) // [S] A; V =^ G is derivable, then [S] A; V G is derivable. 

{2) If [E] A; V ^ A is derivable, there exists a tt such that [S] A; V ^ A is 
derivable. 

Proof. The proof is by induction on derivations. For part (1), the most inter- 
esting case is sel; the rest are straightforward and omitted. 

— For sel, we have 

[S] A; V ^ A 
[E] A; V =^ A 

for some closed Z? e A. By induction hypothesis (2), for some tt, [E] A; V >^ 

A holds. However, since D is closed, tt-D = D G A so we may conclude 

[S]A;V^^A (DeA) 
p] A; V ^ 

For part (2), the interesting cases are hyp and I/IL; the others are omitted. 
— For hyp, we have 

[E] V N A' - A 



[E] A; V ^ A 



By definition [E] V N A' A means there exists a tt such that [E] V N tt-A' 
so 

[E] V N TT-A' « A 



[E] A; V ^ 
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— Case \AL is vacuous, since no instance of I/IL can occur in a derivation involving 
a H-goal program. 

This completes the proof. □ 
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